The 23andMe data breach is getting scary

23and Me

The 23andMe breach that occurred in October has been confirmed to be much worse than previously reported, impacting 6.9 million people, compared to initial estimates of 14,000 users.

Information stolen in the breach included users’ full names, birth years, relationship labels, and locations. About 1.4 million users also had Family Tree profile information on the compromised service. Hackers were also able to access genetic information in the breach, including details about the percentage of common DNA shared with relatives, and specific information such as chromosome matching, according to a spokesperson.

Reports suggest that this data has been sold on the black market, with some ethnic groups having been targeted, and criminals selling a person’s information for $1 to $10 a piece of data. Meanwhile, the ancestry tracking site appeared to cover its tracks, quickly sending users a terms of service update, detailing that any legal complaints regarding the matter must be resolved out of court. This will prevent users from attempting to file a class action lawsuit as a primary action unless they opt out of a private settlement.

If users wish to file a class action lawsuit, they must collectively opt out of private disputes and can do so by emailing within 30 days of the update, which is December 30. This information is detailed at the end of section five of the 23andMe terms of service update, Gizmodo noted.

In a statement on the matter, 23andMe attempted to shift responsibility further, detailing in the statement that the breach occurred because members reused passwords from other accounts. This common cyberattack, known as credential stuffing, allowed hackers to collect already leaked passwords to access an initial 14,000 accounts. From there, they were able to access more company databases to steal information, according to a spokesperson.

At this time, the initial impact of the breach is unknown but will certainly become apparent as time goes by. Experts have detailed that while online collection of consumer data is legal, there is the potential for implicit bias that can influence hiring decisions, apartment selection, credit applications, and insurance premiums. In illegal cases, identity theft may occur.

Notably, Meta (formerly Facebook) settled a class action lawsuit for $725 million in April, which detailed that the social media platform allowed the data of their users and friends to be exposed to third parties for profit. The lawsuit adds that Facebook has no rules or privacy protections about how third parties should interact with its users’ data.

The 23andMe breach also had the potential to put genetic data in the wrong hands and be used to make conclusions about individuals based on health information, such as diagnoses or family medical history, Electronic Privacy Information Center legal partner Suzanne Bernstein told the publication.

While enterprise users lack strong password hygiene, other experts note that specialized organizations like 23andMe should be aware of where they stand from a cybersecurity standpoint. Hosting such sensitive data makes these companies prime targets for cyberattacks and requires backup login requirements, such as two-factor authentication (2FA).

Leave a Comment