The breach of 23andMe user profiles in early October saw hackers obtain the personal data of millions of users, prompting multiple class action lawsuits across the United States and Canada, the company said in a Securities and Exchange Commission disclosure.
Hackers targeted users whose 23andMe passwords matched those found online as a result of other data breaches, initially compromising just 0.1 percent of accounts—around 14,000 total.
But the site’s DNA Relatives tool allowed hackers to access other users’ ancestry information; 23andMe is still working to remove such data from the internet and is working to notify affected customers, it disclosed.
ADVERTISEMENT
All told, around half of all 23andMe users’ information was compromised to some extent—some 6.9 million profiles.
23andMe disabled some of the tool’s features 20 days after the hack began, the company said in a blog post. On Nov. 6, 23andMe required all users to add 2-step verification and reset their passwords.
The amount of information garnered by hackers varied from account to account, the company said. Many users’ ancestry information was compromised, as were some profiles’ “health-related information based upon the user’s genetics.”
“We are working to remove this information from the public domain,” 23andMe said in the disclosure, adding that “the Company believes that the threat actor activity is contained.”
The hack prompted class action lawsuits against 23andMe in California, Illinois, federal court, and in Canada. One suit filed in California alleged negligence, invasion of privacy, unjust enrichment, and breach of implied contract. Among the victims of the hack were Elon Musk and Mark Zuckerberg, according to the suit.
“The Company expects to incur between $1 million and $2 million in onetime expenses related to the incident,” 23andMe said in the disclosure, adding that the cost of any litigation could not be estimated.
