UPDATE
Numerous class action lawsuits have been filed against major U.S. biotechnology and genetic testing firm 23andMe following a a leak of customer data believed to be tied to credential stuffing attacks that compromised information from almost 1 million Ashkenazi Jews, BleepingComputer reports.
Initially exposed data included Ashkenazi Jews' full names, birthdates, sex, DNA profiles, and location information, as well as account IDs, which was shared by other threat actors even after the retraction of the original hacker, who commenced the sale of stolen 23andMe profiles instead. Ashkenazi Jews are descended from Jews who lived in Central or Eastern Europe.
In a statement to SC Media from 23andMe, sent on Oct. 17, the company emphasized, at this time, it does not believe it was breached and that it did "not have any indication at this time that there has been a data security incident within our systems." However, it does acknowledge that hackers may have used recycled user credentials to illicitly access customer accounts.
The company statement to SC Media echoed a 23andMe an Oct. 6 blog post to its' website (updated on Oct. 9) stating:
"Our ongoing investigation found that threat actors were able to access certain user accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked. However, we do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks."
The company believes that a credential stuffing attack allowed hackers to access accounts of customers that opted into its sharing through DNA Relatives feature. This allowed adversaries to compile a list of customers who had also opted into this feature, allowing the compilation of specific user profiles.
In at least one complaint filed against the firm, lawyers argue 23andMe failed to provide adequate information regarding the incident for the betterment and safety of customer data. It also alleges the company did not have adequate security protections that could have mitigated the attack.
A list of lawsuits, reported by BleepingComputer, (Santana, Eden, Andrizzi, Lamons) each seek relief for "the damage done by 23andMe's failure to protect their data."
Financial relief, including lifetime credit monitoring, restitution, compensatory, punitive, and statutory damages, and attorney's fees coverage, have been sought by the plaintiffs behind the class action lawsuits against 23andMe.
UPDATE: On 10/17/23 at 11am ET this article was updated to amplify 23andMe's position that it was not breached, rather a victim of a credential stuffing attack.