California’s attorney general sued Chrome Holding Co., the company behind 23andMe, alleging inadequate protection of sensitive user data after a 2023 breach. The breach affected nearly 7 million people nationwide and involved about 14,000 accounts being accessed. The cyberattack used credential stuffing, leveraging weak or reused passwords and stolen credentials from prior breaches. The lawsuit seeks civil penalties and injunctions to prevent further violations of California privacy protection laws. The company acknowledged the breach and the scale of exposed data. Prosecutors alleged security measures were lax, the attacker operated undetected for over five months, and investigation began only after stolen data was offered for sale and a ransom demand was made.
"California's attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country."
"The cyberattack utilized "credential stuffing," which takes advantage of customers' tendency to use weak or common passwords or reuse passwords between multiple accounts. Bonta's office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe's former partners."
"After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication. "23andMe's security measures were so lax that the threat actor was able to operate undetected within 23andMe's systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom," prosecutors said in the complaint."
"The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California's privacy protection laws. Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]