California sues 23andMe over alleged 'lax' data security that failed to protect nearly 7 million customers' data in 2023 breach | Fortune

California sues 23andMe over alleged 'lax' data security that failed to protect nearly 7 million customers' data in 2023 breach | Fortune

Briefly

"The cyberattack utilized “credential stuffing,” which takes advantage of customers' tendency to use weak or common passwords or reuse passwords between multiple accounts. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe's former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication."

"“23andMe's security measures were so lax that the threat actor was able to operate undetected within 23andMe's systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom,” prosecutors said in the complaint."

"Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. 23andme is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions. The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California's privacy protection laws."

"The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. In October 2023, the stolen data appeared for sale on the dark web, wit"