23andMe, a leading genetic testing company, admitted to a significant data breach that transpired unnoticed for an alarming duration, stretching from April to September 2023. Initially disclosed late in 2023, the breach exposed the DNA Relatives profiles of approximately 5.5 million customers and the Family Tree profile information of 1.4 million DNA Relative participants. Additional details emerged from the company’s recent legal filing, revealing that malicious actors initiated the breach in late April, persisting for months before 23andMe became aware of the security compromise in September.
The legal filing not only outlined the timeline of the breach but also shed light on the attackers’ methodology. The hackers employed a technique known as credential stuffing, leveraging previously compromised login credentials to gain unauthorized access to customer accounts through the company’s website. The company, however, remained oblivious to these activities until October, when a user posted a sample of the stolen data on the 23andMe subreddit. Astonishingly, hackers had advertised the pilfered information on a hacker forum in August, but 23andMe failed to detect this warning. The exposed data included sensitive customer information such as names, birth dates, and intricate details related to ancestry and health.
Following the data breach disclosure, 23andMe promptly advised affected users to change their passwords. However, the company faced scrutiny for altering the language in its terms of service before notifying customers. This modification reportedly made it more challenging for affected individuals to unite and pursue legal action against the company. The incident underscores not only the sophistication of cyber threats but also the need for companies to remain vigilant, transparent, and proactive in safeguarding customer data and promptly addressing security lapses.