Chinese and Ashkenazi Jewish customers were particularly targeted by the compromise.
23andMe has agreed to pay $30 million to resolve a lawsuit over a breach from 2023 that impacted 6.9 million customers.
An attacker was able to access around 14,000 individual 23andMe.com accounts via a credential stuffing effort.
Having compromised those accounts, the attacker accessed information in a significant number of DNA Relatives profiles and Family Tree feature profiles, each of which were connected to the compromised accounts.
Five Month Compromise
According to Reuters, the compromise took place over five months beginning April 2023, enabling access to 5.5 million DNA Relatives profiles and details from 1.4 million users of the Family Tree feature.
However, the lawsuit claimed the firm did not inform its Chinese and Ashkenazi Jewish customers that they were targeted by the compromise.
As part of the settlement, which was deemed to be "fair, adequate, and reasonable," arbitrations by several thousands of class action members were moved to be stopped by the firm.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
