Last year was a bad year for cybersecurity. Just months after US Government emails were hacked, in October 2023, biotech company 23andMe admitted that they too were the victim of hacking.
Per Reuters, this hacking impacted roughly 5.5 million customers, with bad actors being able to access their information online along with the Family Tree profile information of 1.4 million DNA Relative participants.
The company filed a data breach notification last week, and in this letter, more details emerged about the cyber-attack.
New information has emerged about the hack
A new legal filing revealed that hackers first started breaking into customers’ accounts in April 2023, and that this continued right up until the end of September that year. This means that the attack went on unnoticed for five months before it was eventually detected by the genetic testing company. But by that point, it was too late. As reported by TechCrunch, the genetic data of roughly 6.9 million people had already been stolen, which accounts for roughly half of the company’s customer base.
23andMe became aware of the breach after hackers provided a sample of the data they stole on the 23andMe subreddit and other forums. However, according to TechCrunch, the company failed to notice hackers advertising the stolen data on forums as far back as August.
The filing, which is available in the public domain, also includes letters from 23andMe to affected customers. It was in these letters that 23andMe confirmed that the bad actors gained access to customer data via a technique known as ‘credential stuffing’, which involves exploiting previously-compromised login credentials to gain access to customer accounts. Some of the data the hackers stole includes birth years, relationship labels, locations, DNA percentages, and customer names.
When they were made aware of the breach, numerous customers tried to band together and sue 23andMe in a class-action lawsuit. The company then sparked controversy by changing the language of its terms and service, which, purportedly, made it harder for customers to sue.
In a statement in December, 23andme said: “Since detecting the incident, we emailed all customers to notify them of the investigation and are continuing to notify impacted customers, based on applicable laws. We also required every 23andMe customer to reset their password. In addition, 23andMe now requires all new and existing customers to login using two-step verification. Protecting our customers’ data privacy and security remains a top priority for 23andMe, and we will continue to invest in protecting our systems and data.”