Skip to main content

23andMe Data Breach Investigation

Written by The Lyon Firm on . Posted in Data Breach.

Thank you for considering The Lyon Firm. At this time, we are not accepting plaintiffs related to this specific consumer issue. However, if you would like to be contacted in the future, please complete the contact form. By completing the form you will be contacted if the Firm begins accepting new cases on this matter, and you will also be included in firm news alerts related to important consumer safety and privacy issues to help keep you informed about related issues.

The Lyon Firm is investigating a data theft incident reported by 23andMe which could potentially impact millions of American consumers. Our lawyers are currently handling numerous data privacy cases on behalf of data breach victims nationwide. Contact us for a free legal consultation.

What Happened at 23andMe?

The popular genetic testing company 23andMe has confirmed that sensitive data from certain users has been compromised. On October 4th, a threat actor began offering to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many profiles were purchased. The hackers claim to have stolen “half” of the website’s users, which amounts to millions of profiles.

To clarify, the company said its IT systems were not breached but rather the hackers acquired data by guessing the login credentials of some users. The attackers then scraped more people’s information from the DNA Relatives feature, which is generally shared for other users to see.

The use of exposed credentials to infiltrate accounts where those logins have been reused is known as “credential stuffing.” This has been a hacking scheme for many years and is usually easily averted by using strong passwords and two-factor authentication.

Hackers posted an initial data sample and began selling what it claims are 23andMe profiles. The stolen personal data includes name, sex, photos, location, birth year, and some details about genetic ancestry results. The leaked information does not yet appear to include specific genetic data.

The company has not entirely determined what kind of data the threat actor exfiltrated, and the investigation is ongoing. A 23andMe spokesperson told reporters that the leaked information is derived from some hacked user accounts which were then used to scrape data visible in DNA Relatives.

The data breach on a genetic material company is not surprising to experts. Personal health information, biometrics and medical data is valuable for cybercriminals and can be sold or used for medical identity theft. Many data privacy advocates urge both consumers and companies to protect sensitive genetic information to the best of their ability. Storing the data online and sharing it on profiles could be described as reckless by some standards.

What is 23andMe?

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and in turn receive an ancestry and genetic predispositions report.

This isn’t the first time a hacker has tapped into a DNA and genealogy data platform. In 2018, MyHeritage confirmed a data breach that impacted 92 million users. The popularity of these services has perhaps overshadowed the identity theft and fraud risks to consumers who store data online.

Brett Callow, a threat analyst at security firm Emsisoft, says these particular data theft incidents highlight “the risks associated with DNA databases.” He says the idea of opting into the sharing of data on the DNA Relatives feature is “particularly concerning.”

What Can You Do Following a Data Breach Incident?

After any data privacy violation, you are encouraged to remain vigilant for any fraudulent activity on your accounts and to change passwords of e-mail and related online accounts as soon as possible. It is not always clear what bad actors can do with your personal data, but once your data is leaked it could remain on the dark web forever.

What Actions Has 23andMe Taken?

The above header is the title of a blog on the company’s website, posted after a number lawsuits were filed in the past week. That was even before millions more individuals were allegedly impacted by the leak. The company explains that the 23andMe data breach investigation is ongoing. They note the following: “Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA). If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.”

To learn more about the 23andMe data breach incident or other ongoing data privacy litigation, you may contact our legal team to discuss your best options moving forward and possible legal action. By filing a class action lawsuit, you can recover compensation for your losses and hold any negligent party accountable for their lack of IT security.