January 25, 2024 at 05:14PM
Genetic testing provider 23andMe suffered a major data breach, with hackers stealing health reports and raw genotype data of 6.9 million customers over a 5-month period. The breach went undetected from April to September. The stolen data was posted on hacking forums and included vulnerable information like health reports and DNA-related data. Multiple lawsuits were filed against 23andMe as a result. The company updated its Terms of Use to limit customers’ ability to join class action lawsuits.
Based on the meeting notes, it seems that the genetic testing provider 23andMe experienced a significant data breach, where hackers gained access to the health reports and raw genotype data of millions of customers. This breach went undetected for five months, from April 29 to September 27, and it is believed that the attackers used stolen credentials from other data breaches to access customer accounts.
The leaked information includes data for 1 million Ashkenazi Jews and 4.1 million people in the United Kingdom. The stolen data was reportedly posted on hacking forums and unofficial 23andMe subreddit sites.
It was discovered that the threat actor downloaded or accessed uninterrupted raw genotype data and may have also accessed other sensitive information, such as health and wellness reports, carrier status reports, and self-reported health condition information. Customers who used 23andMe’s DNA Relatives feature may have had their relatives’ DNA information scraped as well.
The hackers managed to download the data of 6.9 million people after breaching around 14,000 user accounts. Additionally, 5.5 million individuals had their data scraped through the DNA Relatives feature, and 1.4 million via the Family Tree feature.
In response to this breach, 23andMe took several measures, including requiring all customers to reset their passwords and implementing two-factor authentication for all new and existing customers.
Following the incident, the company faced multiple lawsuits and updated its Terms of Use to restrict customers from joining class action lawsuits against 23andMe, in an effort to make the arbitration process more efficient and easier for customers to understand.
These findings summarize the key details from the meeting notes regarding the 23andMe data breach.