In late 2023, genetic testing company 23andMe accepted its customer information was leaked online. Company representative he told us at that time, bad actors were able to access the DNA Relatives profile data of approximately 5.5 million customers and the Family Tree profile data of 1.4 million DNA Relative participants. Now there is company revealed Detailed information about the incident a legal documentationit said that hackers began breaching customer accounts in late April 2023. The activities of the bad actors continued for months and lasted until September 2023 when the company finally became aware of the security breach.
23andMe’s presentation includes letters it sent to customers affected by the incident. In the letters, the company explains that the attackers used a technique called credential stuffing, which involves using previously compromised login credentials to access customer accounts through its website. The company didn’t notice anything amiss until a user posted a sample of the stolen data on the 23andMe subreddit in October. whom TechCrunch It should be noted that the hackers had already announced the stolen data on a hacker forum a few months ago in August, but 23andMe did not notice this post. Stolen information included customer names, dates of birth, ancestry and health information.
23andMe advised affected users to change their passwords after disclosing the data breach. But before sending the letter to the customers, the company changed his language according to its terms of service, this made it difficult for people affected by the incident to join forces and legally go after the company.
