When did it happen
The data breach occurred between April 2023 and September 2023.
What happened
In late 2023, 23andMe admitted that customer data was leaked online.
What data was affected
About 5.5 million customers’ DNA Relatives profile information was accessed without authorization.
Additionally, the Family Tree profile information of around 1.4 million DNA Relative participants was compromised.
How did it happen
Hackers started breaking into customer accounts using a technique called “credential stuffing.” This involves using previously compromised login credentials to gain unauthorized access.
When did 23andMe realize it
The breach went unnoticed by 23andMe until September 2023.
How did 23andMe respond
The company sent letters to affected customers explaining the breach and advised them to change their passwords.
When did customers find out
23andMe did not detect any suspicious activities until a user posted about the stolen data on the 23andMe subreddit in October.
What was compromised
The stolen information included customer names, birth dates, ancestry, and health-related data.
Any additional details
Hackers had already advertised the stolen data on a hacker forum in August, but 23andMe was unaware of this post.
What about legal action
Before notifying customers, 23andMe changed the language in its terms of service, potentially making it more challenging for affected individuals to pursue legal action against the company.