In a shocking revelation, 23andMe has filed a data breach notification letter with regulators, revealing that hackers broke into customers’ accounts in April 2023 and continued their attacks until September. The company’s admission comes after months of denying any knowledge of the breach.
Timeline of Events
- April 2023: Hackers start targeting 23andMe customers, attempting to brute-force access to their accounts.
- August 2023: Hackers advertise stolen data on a notorious hacking forum. However, 23andMe fails to notice this incident.
- October 2023: 23andMe becomes aware of the breach when hackers post about the stolen data on the unofficial 23andMe subreddit and another hacking forum.
Scope of the Breach
The hackers stole the ancestry and genetic data of 6.9 million users, approximately half of 23andMe’s customer base. The breached data includes:
- Personal information: Users’ names, birth years, and self-reported locations.
- Genetic data: DNA relatives’ relationship labels, percentage of DNA shared, and ancestry reports.
How the Breach Went Undetected
According to 23andMe’s admission, hackers were able to access around 14,000 customer accounts by brute-forcing passwords that had been made public due to other breaches. The company failed to detect this activity for several months, allowing the hackers to steal data on millions of users.
Consequences and Reactions
- Customer notifications: Victims received notification of the breach, leading some to file class-action lawsuits against 23andMe.
- Lawsuits: Data breach lawyers have called out 23andMe’s terms-of-service changes as "cynical" and "self-serving."
- Company response: 23andMe has attempted to shift blame onto users for allegedly using reused passwords.
Related News
- Tesla to split $100M award for electric truck charging corridor in Illinois
- Bluesky is getting its own photo-sharing app, Flashes
- Colossal Biosciences raises $200M at $10.2B valuation to bring back woolly mammoths
- PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data
Contact Us
If you have more information about this hack or would like to share your experience, please contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Telegram/Keybase @lorenzofb, or email lorenzo@techcrunch.com.
Subscribe for the latest tech news
Get the best of TechCrunch’s coverage every weekday and Sunday with our newsletters:
- TechCrunch Daily News
- TechCrunch AI
- TechCrunch Space
- Startups Weekly
Stay up-to-date on the latest developments in cybersecurity, data breaches, and related topics by following these sources:
- Governments call for spyware regulations in UN Security Council meeting
- UnitedHealth hid its Change Healthcare data breach notice for months
- Cyber firm’s Chrome extension hijacked to steal user passwords
By submitting your email address, you agree to our Terms and Privacy Notice.
