23andMe unveils more of the truth about that massive DNA data breach

Genetic testing company 23andMe is coughing up more of the truth about that major cyberattack last year that breached its system and stole the DNA data of about 6.9 million people.

Initially, the company claimed in a U.S. Securities and Exchange Commission court filing that it had discovered the data breach in October 2023, but now, 23andMe has admitted that hackers started accessing users’ accounts in April and did not detect the suspicious activity for five months, according to a recent legal filing that contains a log of notification letters the company sent to customers.

Related: 23andMe attempts to wipe its hands clean of blame for DNA data breach

“Based upon our investigation of this incident, we believe a threat actor orchestrated a credential stuffing attack during the period from late April 2023 through September 2023 and gained access to your account,” read one of the notification letters from 23andMe.

A credential stuffing attack is when a hacker uses previously compromised login information such as usernames and passwords to try to break into an online system.

The notification letters from 23andMe also went into more detail about what DNA data was stolen from customers during the breach. Last year, the company revealed that data such as users’ DNA ancestry, their matched DNA relatives, self-reported location, family names and birth years were accessed in the cyberattack.

It also previously revealed that “health-related information based upon the user’s genetics” was also compromised. Now, in the new filing of notification letters, the company finally goes into more detail about what health information was actually stolen.

“Our investigation determined the threat actor downloaded or accessed information in your account, such as certain health reports derived from the processing of your genetic information, including health-predisposition reports, wellness reports, and carrier status reports,” read the notification letter. “To the extent your account contained such information, the threat actor may have also accessed self-reported health condition information, and information in your settings.”

The revelation from 23andMe comes after the company swiftly updated the "Dispute Resolution and Arbitration" section of its terms of service agreement amid a growing pile of lawsuits against the company for the cyberattack, which was first reported to only have affected 14,000 users but was later admitted by the company that 6.9 million users were impacted.

One of the changes in the contract appeared to include removing the ability for customers to take 23andMe to court to sue for damages if they weren’t able to agree on a negotiation after arbitration. Another change included extending the informal resolution period to 60 days.

The company also recently shifted the blame for the data breach to customers who “recycled their own login credentials” and claimed that “the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA,” according to a letter from 23andMe’s lawyers.

Related: Veteran fund manager picks favorite stocks for 2024