23andMe has revealed that cyberattacks were targeting customers for months without the company realizing.
According to an obligatory notification letter sent to California’s attorney general, accounts belonging to users of the genetic testing firm were being hacked from about April to September 2023, in a series of brute force attacks.
Millions of people’s genetic data was leaked on the dark web by the threat actor, after a total of 14,000 users had their accounts breached, according to 23andMe’s filing with the Security and Exchanges Commission (SEC).
Blame game
23andMe only realized that attacks were taking placing in October, when the stolen data was being promoted on an unofficial subreddit and on a popular underground forum. However, some data was also leaked on BreachedForums in August, which the company was not aware of at the time.
The hacks were made possible thanks to email addresses and passwords that were leaked in previous, unrelated breaches. The hackers then brute forced their way in 23andME accounts using these credentials.
In a letter sent to victims of the breaches, 23andMe laid the blame at the feet of customers, as they “negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe.”
Even though they hacked into tens of thousands of accounts, the hackers were able to steal personal data on 6.9 million customers thanks to the company’s DNA Relatives feature, which allows users to share data with relatives on the platform.
This data includes the individuals’ names, birth year, self-reported location, relationship to others and percentage of DNA shared with them, as well as ancestry reports.
Victims have filed class action lawsuits against 23andMe in response, although the company did try to change its terms of service to try and prevent such action being taken against it.
The LR Zone 