On January 3, 2024, TechCrunch revealed that the general-public DNA testing specialist 23andMe cleared itself of any wrongdoing following the cyberattack it suffered, in a letter in mid-December 2023. In early December 2023, cybercriminals managed to steal the personal data of 6.9 million customers, which was then sold on the dark web. The stolen data did not comprise any genetic information.
23andMe lays the blame on its customers’ negligence, claiming they reused old passwords for their accounts, passwords that had been compromised. “Consequently, the incident is not due to a supposed failure by 23andMe to guarantee adequate computer security,” writes the company.
The cybercriminals managed to log into 14,000 23andMe accounts by using credential stuffing. The technique involves trying email address and password combinations, particularly ones that have leaked in the past, and which are available in cybercriminal “directories”. With the 14,000 accounts, the hackers managed to access half of 23andMe’s users thanks to an information-sharing feature.