A class action lawsuit has been filed against 23andMe following a data breach that exposed the personal details of possibly millions of its users.
The suit, filed on Monday, accuses the company of failing to protect its users’ data. 23andMe confirmed the breach on Friday. However, the company said the threat actor accessed users’ data via credential stuffing, and its systems are uncompromised.
“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe were the same as those used on other websites that have been previously hacked,” 23andMe said in a blog post.
This week, multiple news outlets have reported that the stolen data is on sale on the dark web. A portion of the data reportedly contained information about people with Ashkenazi Jewish ancestry.
Stolen Personal Data on Sale
The stolen data reportedly includes users’ names, locations, ethnicities, genders, birth years, and other profile information.
It’s unclear exactly how many 23andMe users are affected. Multiple reports indicate there are over 1.3 million data points in the trove on the dark web. 23andMe boasts up to 14 million users.
23andMe said the breach affected users who opted for its DNA Relatives feature. This feature allows users to connect with potential distant relatives.
Credential stuffing, the method used to breach 23andMe’s systems, is a common technique threat actors use to infiltrate accounts.
Last year, New York State Attorney General Letitia James revealed that over 1.1 million online accounts belonging to 17 “well-known” businesses were targeted in credential stuffing attacks.
23andMe said it is working with third-party forensic experts to investigate the breach and is also collaborating with law enforcement. Meanwhile, the company is reaching out to affected users.
23andMe’s Security Recommendations
The significance of this breach cannot be understated, given the sensitive nature of genetic data. Voicing concerns about the breach, one affected 23andMe user told NBC News, “Crazy, this could be used by Nazis.”
23andMe has recommended that its users ensure they’re using a strong password and activate multi-factor authentication. Read our guide to creating a secure password to learn how to improve your passwords and make your accounts impenetrable.
For more cybersecurity tips, consult our guide to staying safe online.
For more news, follow us on X (Twitter), Threads, and Mastodon!
