- 23andMe found out it was hacked five months after it was breached, per a regulatory filing.
- The DNA testing company said it was breached in May but didn’t find out until October from Reddit posts.
- The firm reportedly blamed customers for the breach, saying they didn’t update their passwords.
23andMe customer accounts were breached by hackers last year, but it took the DNA testing company five months to detect the intrusion.
In a data breach notification filing last week, the company revealed that it only discovered the attack in October.
Hackers orchestrated an attack starting in May 2023 that continued until September, according to the filing. Nearly 7 million users were affected, or about half its customer base.
The company learned about the attack after stolen customer data was advertised on Reddit, as well as on the darkweb forum BreachForums, per the filing.
23andMe said it “immediately” started investigating the attack after becoming aware of it in October and contacted federal law enforcement.
The filing stated: “On October 10, we required all 23andMe customers to reset their password. On November 6, we required all new and existing customers to login using two-step verification.”
Its investigation found that customer information about their ancestry was accessed, 23andMe said. The company was then hit by a series of lawsuits from victims of the breach.
23andMe previously told Business Insider that the hackers gained access to customer data through “credential stuffing.”
“Credential stuffing is a method of attack where threat actors use lists of previously compromised user credentials to gain access to another party’s systems,” 23andMe said in the filing.
The biotech firm reportedly blamed customers for the data breach.
“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company told a group of victims in a letter, TechCrunch reported.
23andMe, founded in 2006, became known for its saliva tests that could test for genetic predispositions, ancestry, and inherited traits. The company shares anonymized user data with their consent with third parties.
23andMe didn’t immediately respond to a request for comment from Business Insider, made outside normal working hours.