Overview

In October 2023, genetic testing company 23andMe experienced a significant data breach that exposed the personal information of approximately 6.9 million users. This breach was primarily due to a credential stuffing attack, where hackers used previously compromised credentials to access user accounts.

Detailed Incident

The attack was not detected until several months after it began, highlighting a serious lapse in security detection at 23andMe. Once discovered, the breach was found to have started in April and continued undetected until September 2023. Hackers accessed a vast array of personal data, including health predispositions, wellness reports, and ancestry information.

Company’s Response

23andMe responded to the breach by disabling some features of the DNA Relatives tool to prevent further data exposure and implemented mandatory password resets and two-factor authentication for all users. The company also engaged with federal law enforcement and third-party forensic experts to bolster security and prevent future incidents.

Legal and Regulatory Impact

The breach has led to several class-action lawsuits, accusing 23andMe of failing to protect customer data adequately. This legal action underscores the growing legal implications for companies that suffer data breaches, especially those involving sensitive health information.

Lessons Learned

This incident serves as a crucial reminder of the risks associated with credential stuffing and the importance of robust security measures like two-factor authentication. It also highlights the need for continuous monitoring and quick response mechanisms to detect and mitigate such breaches promptly.

For more details, visit the Wikipedia page on the 23andMe data leak and further reporting from TechRadar and Twingate.