Chinese and Ashkenazi Jewish customers were particularly targeted by the compromise.
23andMe has agreed to pay $30 million to resolve a lawsuit over a breach from 2023 that impacted 6.9 million customers.
An attacker was able to access around 14,000 individual 23andMe.com accounts via a credential stuffing effort.
Having compromised those accounts, the attacker accessed information in a significant number of DNA Relatives profiles and Family Tree feature profiles, each of which were connected to the compromised accounts.
Five Month Compromise
According to Reuters, the compromise took place over five months beginning April 2023, enabling access to 5.5 million DNA Relatives profiles and details from 1.4 million users of the Family Tree feature.
However, the lawsuit claimed the firm did not inform its Chinese and Ashkenazi Jewish customers that they were targeted by the compromise.
As part of the settlement, which was deemed to be "fair, adequate, and reasonable," arbitrations by several thousands of class action members were moved to be stopped by the firm.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
