23andMe admits it didn’t detect cyberattacks for months


Share post:

In a data breach notification letter filed with regulators this weekend, 23andMe revealed that hackers started breaking into customers’ accounts in April 2023 and continued through most of September.

In other words, for around five months, 23andMe did not detect a series of cyberattacks where hackers were trying — and often succeeding — in brute-forcing access to customers’ accounts, according to a legally required filing 23andMe sent to California’s attorney general.

Months after the hackers started targeting 23andMe customers, the company revealed that hackers had stolen the ancestry and genetic data of 6.9 million users, or about half of its customers.

According to the company, 23andMe became aware of the breach in October when hackers advertised the stolen data in posts published on the unofficial 23andMe subreddit and separately on a notorious hacking forum. 23andMe also did not notice that the hackers advertised the stolen data on another hacking forum months earlier in August, as TechCrunch reported.

Contact Us

Do you have more information about this hack? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.

As 23andMe later admitted, hackers were able to access the accounts of around 14,000 customers by brute-forcing into accounts that were using passwords already made public and associated with email addresses from other breaches. With access to those accounts, the hackers stole data on 6.9 million customers by way of the DNA Relatives feature, which lets customers automatically share some of their data with others that 23andMe classifies as relatives. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

23andMe spokespeople did not immediately respond to TechCrunch’s request for comment, which included questions about how the breach went undetected for so long.

After customers were notified that they were victims of the breach, several victims have filed class action lawsuits against 23andMe in the U.S. and Canada, even though the company tried to make it harder for victims to band together in legal actions by changing its terms of service. Data breach lawyers called the terms of service changes “cynical,” “self-serving,” and “a desperate attempt” to protect 23andMe against its own customers.

In one of the lawsuits, 23andMe responded by blaming users for allegedly using reused passwords.

“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” 23andMe claimed in a letter to breach victims. “The incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Connect with HomeHQ.ai, SOSV, Prepare 4 VC, Latham & Watkins and more at TC Early Stage 2024

We are thrilled to collaborate with some of the most influential players in the startup ecosystem to...

VC Trae Stephens says he has a bunker (and much more) in talk about Founders Fund and Anduril

Last night, for an evening hosted by StrictlyVC, this editor sat down with Trae Stephens, a former...

Waymo can now charge for robotaxi rides in LA and on San Francisco freeways

Waymo received approval Friday afternoon from the California Public Utilities Commission to operate a commercial robotaxi service...

Rabbit’s Jesse Lyu on the nature of startups: ‘Grow faster, or die faster,’ just don’t give up

Rabbit co-founder and CEO Jesse Lyu isn’t afraid of death… the death of the company, at least....

Stay up-to-date on the amount of venture dollars going to underrepresented founders

Venture capital funding has never been robust for women or Black and brown founders. Alongside Crunchbase, we’ve...

MWC 2024: Everything announced so far, including Swayy’s app to tell friends where you’ll be next

The TechCrunch team is in Barcelona this week to bring you all the action going on at...

Is there anything AI can’t do?

Welcome to Startups Weekly — your weekly recap of everything you can’t miss from the world of...

Ultraleap is bringing haptic touch to cars and VR headsets

In May 2019, Ultrahaptics and Leap Motion became Ultraleap (not to be confused with Magic Leap, which...