WTF?! It seems companies being infiltrated by hackers and not knowing about it for months is becoming a common sight in the tech world. Following Microsoft and HPE, genetic testing provider 23andMe has now confirmed that the intrusion it experienced last year, which led to the theft of data on millions of customers, went unnoticed for five months.
In its mandatory breach notification letter filed to California's attorney general, 23andMe confirmed that hackers started breaching customer accounts on April 29, 2023, continuing to do so until September 27. The cybercriminals spent five months brute-forcing customer accounts using passwords and email addresses leaked in other breaches (credential stuffing), all without the company detecting what was happening.
Back in December, 23andMe's filing with the Securities and Exchanges Commission revealed that the hackers accessed the personal information of 14,000 people. That's only 0.1% of its customers, but hacking these accounts also allowed the bad actors to access files containing profile information about other users via the site's DNA Relatives, an optional feature that allows some customer data to automatically be shared with others who 23andMe believes may be their relatives.
A total of 6.9 million people, or about half the company's customers, had their data stolen. The pilfered information included name, birth year, profile picture, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.
23andMe says that certain health reports derived from the processing of genetic information, including health-predisposition reports, wellness reports, and carrier status reports may have also been accessed, along with self-reported health condition information and information in the settings.
23andMe only became aware of the breach in October when the hackers advertised the stolen data on a hacking forum and the unofficial 23andMe subreddit. The data was also advertised on another hacking forum in August, but the company didn't notice.
The incident resulted in more than 30 lawsuits being filed against 23andMe over it allegedly failing to maintain reasonable security measures. Its unique response to these legal actions was to blame customers for re-using old credentials that appeared in leaks. So it was their fault, basically. The firm added that as the stolen information did not include social security numbers, driver's license numbers, or any payment or financial information, it could not be used to cause any "pecuniary" harm.
Earlier this week, HPE said Russian hacking group Cozy Bear had accessed and exfiltrated data from its cloud-based email environment for months without the company detecting it. The same group also hit Microsoft's corporate email network for a month in November 2023.