Chrome Holding Co., formerly known as 23andMe, faces a lawsuit from California Attorney General Rob Bonta over a 2023 security breach. The breach allegedly compromised sensitive personal information and genetic data tied to health, genetic predispositions, risk factors, biological relatives, ancestry, and ethnicity. The lawsuit states the incident affected 7 million users in the US, including 855,541 California residents. The company admitted that credential stuffing enabled unauthorized access to user accounts. The lawsuit claims the company should have anticipated this common attack method, especially given its collection of genetic data. It also alleges the company did not prevent credential reuse even after learning of a related MyHeritage breach. The attackers allegedly used stolen credentials to access accounts, then exploited a DNA Relatives feature vulnerability, operating undetected for five months and prompting investigation only after data was sold and ransom demands began.
"Bonta is accusing the company of misleading customers and failing to protect their “sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry and ethnicity.” The incident had affected 7 million users across the US, the lawsuit said, 855,541 whom were California residents."
"23andMe, which offered customers DNA testing kits so they can find out their ancestral origins and genetic health risks, admitted back in 2023 that bad actors were able to access users' accounts through credential stuffing. Bonta argued that companies, especially one that collects genetic data, should know to guard against such a common method of cyberattack."
"Bonta says that even though 23andMe was aware of the breach on MyHeritage, it never checked or prevented users from reusing their credentials. That's particularly noteworthy, because 23andMe allegedly encouraged its users to sign up for a MyHeritage account, as well."
"After using the attack method to break into 14,000 accounts, they then exploited a vulnerability in the website's DNA Relatives feature to access data from more customers. Bonta said the company's security measures were so lax, the hackers were able to operate undetected inside its system for five months. He added that the company only started investigating after the bad actors had already started selling stolen user data on the dark web and demanding a ransom"
Read at Engadget
Unable to calculate read time
Collection
[
|
...
]