The 23andMe data breach is getting messier by the day

23andMe logo pictured over entrance to an office building in Mountain View, California.
(Image credit: Getty Images)

Fallout from the 23andMe data breach has continued to get worse, with the biotechnology company revealing that the attack remained undetected for about five months. 

In a customer notification letter, the company stated that cyber criminals gained access to their systems between April 2023 and September 2023.

According to the letter, the hackers used credential stuffing – a technique that uses previously compromised user credentials to gain access to the victim's systems.

23andMe has confirmed the compromised data included information pertaining to users' genealogy, with personal zip codes and dates of birth potentially also being involved.

This news adds insult to injury for a company which has been on the defensive since day one.

According to the SEC filing, 23andMe became aware of the breach when a threat actor claimed to have accessed user data at the start of October.

23andMe was adamant, however, that only a “very small percentage (0.1%)” of its users would have been made vulnerable by the threat actor, only quietly admitting that “profile information about other users’ ancestry” had also been breached in large quantities.

It later transpired that the extent of the breach was far larger than expected, with roughly 6.9 million users having been affected by the incident.

23andMe maintained a defensive strategy, however, as the data breach spiraled into a public relations disaster.

23andMe's reaction is a blast from the past

In early January, the company sent a letter to a group of victims-turned-plaintiffs which asserted that customers “failed to update their passwords” following previous breaches.


Dark background with light text that says Understanding AI models to future-proof your AppSec program

(Image credit: Synk)

Discover the different ways your business can use AI


23andMe doubled down on its denial of any wrong-doing or responsibility, describing victims of the breach as negligent. 

It also vehemently denied that the incident was a “result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA".

In light of this recent news, 23andMe still appears to be placing the blame on its end users.

In the latest letter, 23andMe stated the threat actor was “able to gain access to your account” because customers used the same usernames and passwords that had been “used on other websites that were previously compromised.”

23andMe has temporarily paused certain functionalities on its platform and in response to the breach the company is also enforcing password updates and the use of two factor authentication (2FA).

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.