23andMe Blames Recycled Passwords For Data Breach

In a recent letter, 23andMe has denied responsibility for the data breach affecting their company last year. Instead, the DNA and genealogy website blamed the exposure of personal data on insecure password use by customers.

23andMe is a DNA research company that enables people to send in DNA samples to learn more about their health, genealogy and families. In October 2023, hackers retrieved millions of users’ personal data, gaining access to information including genetic data, familial relationships, birth information, and sometimes even geographic locations.

According to 23andMe, hackers accessed an initial 14,000 accounts by using “credential stuffing,” where they used old passwords from previous data breaches to log in to the website. When people reused the same password on multiple websites, the hackers were able to use those passwords from other sites to access peoples’ 23andMe accounts. The company blames these recycled passwords for the data loss, and has since taken steps to improve its security measures — such as requiring two-factor authentication to log in to the website.

However, those 14,000 users only represented a fraction of the data breach. Using those accounts, the hackers used various features on the 23andMe website to then gain access to data from millions of other accounts. The primary culprit was the website’s DNA Relatives feature, which allows people to access information about other users with close DNA matches. From the initial 14,000 accounts, the hackers were able to access 6.9 million accounts in total, gathering vast quantities of personal and genetic information.

Attorney Hassan Zavareei, representing victims in a lawsuit against 23andMe, said in an interview with FOX Business that “the breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords.”

Since the attack, the hackers have posted personal data from affected customers online, including data for one million Ashkenazi Jews and approximately 100,000 Chinese users. Allegedly, the hackers have expanded their release of data and are now offering to sell more than four million people’s records online.

Marina Medvin 🇺🇸 on X: “23andMe was hacked with the profile data of Ashkenazi Jews specifically targeted in the breach. According to emails sent to customers today from 23andMe, the data that was hacked included: ancestry, Family Tree, display name, relationship labels, self-reported location (city/zip… https://t.co/XGLCPw91Qx” / X (twitter.com)

Because of the security breach, there are currently more than 30 lawsuits being brought against the company by affected users. Although 23andMe claims the fault lies solely with the recycled passwords, many of the customers seeking damages from the company did not use recycled passwords at all, but still had their private data accessed by the hack.