Genetic testing giant 23andMe has finally revealed the full extent of the data breach that occurred in late 2023. In a legal filing, the company disclosed that hackers were able to access the DNA Relatives profile information of approximately 5.5 million customers and the Family Tree profile information of 1.4 million DNA Relative participants. Shockingly, the breach began in late April 2023 and persisted for months before 23andMe was made aware of the cyberattacks in September of that year.
The company’s legal filing also contained copies of letters that were sent to affected customers, detailing the nature of the security breach. According to the letters, the attackers employed a technique known as credential stuffing, which involved using previously compromised login credentials to gain unauthorized access to customer accounts on the 23andMe website. It was not until a user posted a sample of the stolen data on the 23andMe subreddit in October, and the information had been advertised on a hacker forum in August, that 23andMe became aware of the breach. The stolen data included customer names, birth dates, ancestry, and sensitive health-related information.
Following the disclosure of the breach, 23andMe advised affected users to change their passwords. However, prior to notifying customers, the company altered the language in its terms of service in a move that reportedly made it more difficult for those affected by the breach to pursue legal action against the company.
The breach has raised significant concerns about the security and privacy of genetic testing data. As genetic testing becomes increasingly popular, the protection of sensitive customer information is of the utmost importance. The fact that hackers were able to access such a vast amount of personal data for an extended period is deeply troubling and highlights the need for robust cybersecurity measures in the genetic testing industry.
In response to the breach, 23andMe has stated that it is taking steps to enhance its security protocols to prevent similar incidents from occurring in the future. The company has also reiterated its commitment to protecting customer data and ensuring the safety and privacy of its users.
The fallout from the breach may have far-reaching implications for 23andMe, as affected customers and privacy advocates express concerns about the company’s handling of the incident. The alteration of the terms of service, in particular, has raised questions about 23andMe’s transparency and commitment to accountability.
As the investigation into the breach continues, 23andMe’s handling of the situation will undoubtedly come under close scrutiny. The company will need to demonstrate a genuine commitment to address the concerns of affected customers and to implement meaningful changes to safeguard the privacy and security of customer data.
In the aftermath of the breach, it is clear that the protection of genetic testing data must be a top priority for companies in the industry. The 23andMe breach serves as a stark reminder of the potential consequences of failing to adequately safeguard sensitive personal information, and the importance of robust cybersecurity measures in protecting customer data.