Tech

23&Me hackers steal sensitive data but company allegedly dismissed it for months

Rosalie Newcombe
Image of the Guy Fawkes mask looking down at a hand, with the 23&Me Logo on it.pexels.com

DNA genetic testing company 23&Me allegedly knew about a cyberattack months before it was made public to its customer base, according to legal documents.

San Fransico-based biotechnology company 23andMe deals with crucial personal information including customer details, DNA, and family history of clients.

When the company was reportedly hit with a data breach in October 2023, it put nearly 7 million customers’ information at risk. According to a legal filing on Wednesday, September 27, 2023 that the DNA company sent to California’s attorney general, it is claimed that 23&Me may have known about the cyberattack months prior.

Data breach may have been known five months prior

Image of the Dictionary definition of DNA.pexels.com

An October 10 2023 filing with the U.S Securities and Exchange Commission revealed that the DNA testing company determined at the time that “the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords.” This equates to around 14,000 users affected in total.

Although the DNA company alerted the public in October 2023, the California attorney general filing claims that 23&Me knew about it months before. Within the document, a ‘Notice of Data Breach’ letter was provided which stated that the company believed the threat was orchestrated from “the period of late April 2023 through September 2022.”

Initially reported by TechCrunch, this would mean that for around five months, 23&Me already knew about the data breach, which originated as a threat posted on an unofficial 23&Me subreddit. Since this reveal, the company has not confirmed or provided reasoning as to why the cyber attack was allegedly dismissed for so long.

In recent developments, a class-action lawsuit against the company on behalf of Canadian-based law firms YLaw and KND Complex Litigation is being pursued, according to reports, in the Supreme Court of British Columbia. The lawsuit is a reaction to recent terms of service changes made by 23&Me since the data breach.

The update stipulates that customers must tell the company they disagree with the new TOS within 30 days, or they will be locked into the new terms. These changes could prevent 23&Me customers from suing the company, should another data breach occur in the future.

About The Author

Rosalie Newcombe

Dexerto's Senior Tech Writer. Rosalie is an expert on all things handhelds, and has been picking them up since the original Game Boy, all the way up to the Steam Deck. Before working at Dexerto, they covered all things hardware for PCGamesN and Custom PC. Get in touch via email at rosalie.newcombe@dexerto.com.

keep reading
Google Pixel 8 Pro
Tech
Google Pixel 9 blowout leak reveals design of entire lineup
Anurag Singh
Image of the SteelSeries Arctis Nova 5P gaming headset.
Tech
SteelSeries Arctis Nova 5P review: Mid-range master
Rosalie Newcombe
Google I/O 2023 logo
Tech
Why Google I/O needs to be about more than just AI
Anurag Singh
The Windows 11 'Bloom' wallpaper on the screen of a Nintendo Switch.
Tech
Modder runs Windows 11 on Nintendo Switch but it’s a disaster
Rosalie Newcombe
Sign up to Dexerto for free and receive:
Fewer Ads|Dark Mode|Deals in Gaming, TV and Movies, and Tech