It took 23andMe roughly five months to realize a security breach had impacted millions of its customers.
According to a recent legal filing to California’s attorney general, threat actors started hacking into accounts in late April 2023, a practice that continued until September.
A letter from the filing informing customers of the breach says the company started investigating after a third party made an October 1st post on the unofficial 23andMe subreddit advertising their access to customers’ private information. Customer names, date of birth and ancestry data were part of the stolen information.
The letter states the hackers used credential stuffing, a method that sees hackers use login credentials they previously compromised to enter the system.
According to TechCrunch, the breach impacted the ancestry and genetic data of 6.9 million users, making up half its customer base. While the hackers were only able to access the accounts of 14,000 customers, the platform’s DNA Relatives feature, which allows users to share data with others, led to the final number of impacted users being in the millions.
Canadians were part of the 23andMe data breach, leading to a class action lawsuit in B.C.
TechCrunch further notes October wasn’t the first time the hackers shared the stolen data. They had done so months earlier in August on a hacking forum, but the company didn’t appear to notice.
Image credit: 23andMe
Source: Office of the Attorney General Via: TechCrunch
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.