The data breach occurred in October, when a hacker tried to sell 23andMe customer data on the dark web. The hacker claimed to have data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom. When no buyers were interested, the hacker leaked the data online for anyone to access.
The hacker obtained the data by using credential stuffing attacks, a technique that involves using stolen or leaked usernames and passwords to access online accounts. 23andMe told BleepingComputer that the hacker was able to breach a limited number of customer accounts and then used the features of the website to scrape more data from other customers.
The features that the hacker exploited were the ‘DNA Relatives’ and the ‘Family Tree’ features, which allow customers to find and connect with their genetic relatives and ancestors. By using these features, the hacker was able to collect data for 6.9 million people, including their names, email addresses, birth dates, locations, and genetic information.
The data breach has resulted in several lawsuits against 23andMe, accusing the company of negligence, breach of contract, invasion of privacy, and violation of consumer protection laws. The plaintiffs are seeking damages and injunctive relief to prevent further data breaches.
One of the main drawbacks of arbitration is that it prevents customers from filing class action lawsuits, which are lawsuits that allow a large group of people with similar claims to sue a defendant as a group. Class action lawsuits are often used to hold corporations accountable for widespread harm or misconduct, such as data breaches.