The 23andMe breach that took place in October has been confirmed as much worse than originally reported, affecting 6.9 million people, as opposed to the 14,000 users first thought.
Information stolen in the breach included users’ full names, birth years, relationship labels, and locations. Approximately 1.4 million users also had Family Tree profile information on the service compromised. Hackers could also access genetic information in the breach, including details about common DNA percentages shared with relatives, and specifics such as chromosome matching, according to a spokesperson.
Reports suggest that this data has already gone up for sale on the black market, with several ethnic groups already being targeted, and bad actors selling a single person’s information for $1 to $10 in a data set. Meanwhile, the ancestry tracking website appears to be covering its tracks, having quickly sent out terms of service updates to users, which detailed that any legal complaints about this matter must be resolved outside of court. This would bar users from attempting a class action lawsuit as a primary action unless they opt out of a private resolution.
If users want to file a class action lawsuit, they must collectively opt out of a private dispute and can do so by emailing arbitrationoptout@23andme.com within 30 days of the update, which is December 30. This information is detailed at the end of the fifth section of the 23andMe terms of service update, Gizmodo noted.
In a statement about the matter, 23andMe attempted to shift responsibility even advocate, detailing in a statement that the breach occurred due to members reusing passwords from other accounts. This common cyberattack, known as credential stuffing, allowed hackers to collect already leaked passwords to access the initial 14,000 accounts. From there, they were able to span through more of the company’s database to steal information, according to a spokesperson.
Currently, the early implications of the breach are not known but are sure to become apparent over time. Experts have detailed that even when the collection of consumer data online is legal, there is the potential for implicit bias that can affect hiring decisions, apartment selection, credit applications, and insurance premiums. In illegal instances, identity theft can occur.
Notably, Meta (formerly Facebook) settled a $725 million class-action lawsuit in April, which detailed that the social media platform left users’ and their friends’ data exposed to third parties for profit. The suit added that Facebook had no rules or privacy protection in place for how third parties should engage with its user’s data.
The 23andMe breach similarly has the potential to have genetic data in the wrong hands be used to make deductions about individuals based on health information, such as a diagnosis or medical family history, Electronic Privacy Information Center law fellow, Suzanne Bernstein told the publication.
While the company’s users didn’t have strong password hygiene, other experts note that such a niche organization as 23andMe should achieve its position from a cybersecurity standpoint. Hosting such sensitive data makes the company a prime target for cyberattacks and in need of backup login requirements, such as two-factor authentication (2FA).