23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months

News
By Lewis Maddison
published

Firm says it didn't realize customers were being hacked

Screenshots showing 23andMe on Android
(Image credit: 23andMe)

23andMe has revealed that cyberattacks were targeting customers for months without the company realizing.

According to an obligatory notification letter sent to California's attorney general, accounts belonging to users of the genetic testing firm were being hacked from about April to September 2023, in a series of brute force attacks.

Millions of people's genetic data was leaked on the dark web by the threat actor, after a total of 14,000 users had their accounts breached, according to 23andMe's filing with the Security and Exchanges Commission (SEC). 

Blame game

23andMe only realized that attacks were taking placing in October, when the stolen data was being promoted on an unofficial subreddit and on a popular underground forum. However, some data was also leaked on BreachedForums in August, which the company was not aware of at the time.

The hacks were made possible thanks to email addresses and passwords that were leaked in previous, unrelated breaches. The hackers then brute forced their way in 23andME accounts using these credentials.

In a letter sent to victims of the breaches, 23andMe laid the blame at the feet of customers, as they "negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe."

Even though they hacked into tens of thousands of accounts, the hackers were able to steal personal data on 6.9 million customers thanks to the company's DNA Relatives feature, which allows users to share data with relatives on the platform. 

This data includes the individuals' names, birth year, self-reported location, relationship to others and percentage of DNA shared with them, as well as ancestry reports.

Victims have filed class action lawsuits against 23andMe in response, although the company did try to change its terms of service to try and prevent such action being taken against it.

Via TechCrunch

MORE FROM TECHRADAR PRO

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. 

His area of expertise lies in computer peripherals and audio hardware, including speakers and headphones, having spent over a decade exploring the murky depths of audio production and PC building. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.