When 23andMe confirmed that it had been breached and hackers had stolen the genetic and ancestry data of 7 million users, it reinforced what many have believed for years: sharing DNA and ancestry data with Silicon Valley is a bad idea. The fallout from the hack has been evolving as 23andMe continues to deflect and slow-roll disclosing the extent of the damage. It’s already led to multiple class action lawsuits against the company.
Now, the company is blaming its users for “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.” The statement was provided to affected users in an email verified by TechCrunch.
23andMe Hackers could “access anything” of 14,000 user accounts
The hack originated in October 2023 and the company first stated that the personal data of 0.1% of customers, or about 14,000 individuals in a filing with the Securities and Exchange Commission. It admitted that of the 14,000 user accounts, the hackers would be able to “access anything available” on those accounts, including health and ancestry information.
It added a vague statement clarifying the extent of data access by the hackers: “a significant number of files containing profile information about other users’ ancestry.” How it defined “other users” was never clarified.
It has since been revealed that the “other users” – which comprise the remainder of the hack – are users who opted in for the company’s “DNA Relatives” feature. DNA Relatives allows users to provide select information to others on 23andMe who might be a close DNA match.
How Hackers Leveraged 14,000 Accounts to 7 Million Customers Affected
The initial attack consisted of hackers using a low-effort tactic of credential stuffing, where accounts are brute-forced with passwords that were known to be associated with the targeted customers. Credential stuffing is a popular technique hackers utilize to gain access to accounts across various platforms because attackers know people are notoriously prone to reusing credentials out of laziness and convenience.
Indeed, credential stuffing was used as the primary method to breach accounts in the past year alone on platforms such as PayPal, Draft Kings, Norton Lifelock, and Chick-fil-A.
Once the 23andMe hackers accessed the initial 14,000 targeted accounts, they were able to pivot to gain access to the personal information of over 6.9 million 23andMe customers who opted into the DNA Relatives feature.
Hackers were then able to copy and exfiltrate the data of the 7 million 23andMe accounts.
The stolen data included the display name, how recently they logged into their account, the percentage of DNA shared with their DNA Relatives’ matches, and the predicted relationship with that person, in a 23andMe statement. Other optional, self-reported data such as geographic location, birth year, family tree, and photos uploaded were also accessible to the hackers.
Let the 23andMe Class Action Lawsuits Begin
Multiple class action lawsuits against 23andMe, among many other individual lawsuits, are already well underway.
Lawyers representing many of the 23andMe victims are in the process of suing the company for its poorly architected security controls and data privacy measures that hackers were able to exploit.
And they’re quickly responding back to the company’s attempt to deflect responsibility and blame its own customers.
A 23andMe class action lawsuit filed in the U.S. District Court for the Northern District of Illinois (Alyson Hu v. 23andMe Inc., Case No. 1:23-cv-17079) asserts claims of negligence and violation of the Illinois Genetic Information Privacy Act.
“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Hassan Zavareei, an attorney representing 23andMe victims in a statement to TechCrunch.
23andMe Changes Terms of Service, MFA Requirements
If the above isn’t insulting enough to the affected customers, 23andMe recently changed its terms of service to make it more difficult to be sued or for customers to unite against the company as a result of its carelessness.
The new terms of service state that customers are forced to give up filing arbitration claims together – also known as “mass arbitration” or “arbitration swarms” – against 23andMe.
23andMe’s lawyers are also predictably pushing back against victim lawsuits. The company’s lawyers argue that the stolen data cannot be used to inflict monetary damage against the victims. This is of course baseless, as stolen identities cost Americans over $56 billion in a 2021 report. Even phishing emails and robocalls cost the average American $1,100 in damages – let alone imagine the damage of stolen genetic and ancestry data for building possible personal networks for advanced targeting techniques.
The company has since mandated the use of multifactor authentication (MFA) on customer accounts, which was only optional before the breach.
