California sues 23andMe, alleging it failed to protect user data in 2023 breach

California sues 23andMe, alleging it failed to protect user data in 2023 breach

Briefly

"California's attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country."

"The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. The cyberattack utilized "credential stuffing," which takes advantage of customers' tendency to use weak or common passwords or reuse passwords between multiple accounts."

"The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe's former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication."

""23andMe's security measures were so lax that the threat actor was able to operate undetected within 23andMe's systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reach"