23andMe reportedly blames data breach on victims

Update:

• 23andMe reportedly blamed an October 2023 data breach on its customers’ failure to update their passwords for the genetic testing service. 
• The company faces more than 30 complaints in the wake of the data breach, which it confirmed compromised the data of nearly 6.9 million of its users.
• In a letter sent to a group of hundreds of victims addressed Dec. 11 and obtained by TechCrunch, 23andMe argues the incident was not a result of it failing to maintain reasonable security measures.
• 23andMe told the users they should have updated their passwords following previous security breaches of other websites that used the same login credentials.

23andMe data breach overview: 

• Who: 23andMe has confirmed a data breach that affected 6.9 million users. 
• Why: The 23andMe data breach included a variety of account access, including credential stuffing to log in to 0.1% of accounts and access to some data through the DNA Relatives feature, the website reported.
• Where: The 23andMe breach affected accounts across the world.

(Dec. 11, 2023)

23andMe has confirmed a data breach that happened Oct. 10 and affected 6.9 million users, according to Law360.com.

Hackers reportedly accessed 0.1% of accounts using credential stuffing with login data used on other websites that had been previously compromised or were otherwise available, according to an amended filing the company made with the U.S. Securities and Exchange Commission (SEC).

“The threat actor also accessed roughly 5.5 million DNA Relatives profile files,” a company spokesperson said in a statement to Law360 on Dec. 5. “Additionally, roughly 1.4 [million] customers participating in the DNA Relatives feature had their Family Tree profile information accessed, which is a limited subset of the DNA Relative profile information.”

The data accessed in the 23andMe breach varied by user account but generally included ancestry information and, for some, health-related information based on a user’s genetics, the SEC filing said.

The company found out about the data breach after users claimed online that they had accessed the data and were attempting to sell the 23andMe hack information.

23andMe hack costs are $1 million to $2 million with undetermined future expenses

23andMe says it expects to incur between $1 million and $2 million in expenses related to the data breach in the fiscal third quarter that ends Dec. 31.

The company said it is facing class action lawsuits in both federal and state courts, including state court filings in California and Illinois as well as in British Columbia and Ontario, Canada.

23andMe said in the SEC filing that it is too early in the process to assess how the class action lawsuits will finish, what the costs associated with the lawsuits will include and what portion of expenses from the lawsuits will be covered by insurance.

The company also is still determining how it will respond to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies.

Was your data accessed in the 23andMe hack? Let us know in the comments.

Read About More Class Action Lawsuits & Class Action Settlements:

• Columbia University class action claims school failed to safeguard sensitive info, resulting in data breach
• AutoZone class action alleges company responsible for data breach
• Pathward class action claims company failed to safeguard personal info prior to data breach
• Stanley Steemer class action alleges data breach affects current, former customers