23andMe has revealed that cyberattacks were targeting customers for months without the company realizing.
According to an obligatory notification letter sent to California's attorney general, accounts belonging to users of the genetic testing firm were being hacked from about April to September 2023, in a series of brute force attacks.
Millions of people's genetic data was leaked on the dark web by the threat actor, after a total of 14,000 users had their accounts breached, according to 23andMe's filing with the Security and Exchanges Commission (SEC).
23andMe only realized that attacks were taking placing in October, when the stolen data was being promoted on an unofficial subreddit and on a popular underground forum. However, some data was also leaked on BreachedForums in August, which the company was not aware of at the time.
The hacks were made possible thanks to email addresses and passwords that were leaked in previous, unrelated breaches. The hackers then brute forced their way in 23andME accounts using these credentials.
In a letter sent to victims of the breaches, 23andMe laid the blame at the feet of customers, as they "negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe."
Even though they hacked into tens of thousands of accounts, the hackers were able to steal personal data on 6.9 million customers thanks to the company's DNA Relatives feature, which allows users to share data with relatives on the platform.
This data includes the individuals' names, birth year, self-reported location, relationship to others and percentage of DNA shared with them, as well as ancestry reports.
Victims have filed class action lawsuits against 23andMe in response, although the company did try to change its terms of service to try and prevent such action being taken against it.
MORE FROM TECHRADAR PRO
- Here are the best password manager options to keep your credentials strong
- One of the biggest data leaks ever has just been revealed - here's what to do if you've been hit
- What is a data breach?
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers.
His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.
He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.