23andMe Data Breach Scandal: Attorneys Investigating Hack
Last Updated on November 27, 2023
At A Glance
- This Alert Affects:
- 23andMe customers who live in California or Illinois and received notice from the company that their information may have been accessed without their authorization.
- What’s Going On?
- In early October 2023, a hacker reportedly claimed to have stolen data points on millions of 23andMe customers and sold their information on the dark web. Attorneys working with ClassAction.org are now gathering data breach victims to take action over potentially negligent data security practices.
- What You Can Do
- If you received notice from 23andMe that your information was accessed in the data security incident, join others taking action by filling out the form linked to below.
- What Am I Signing Up For, Exactly?
- You’re signing up for what’s known as “mass arbitration,” which involves hundreds or thousands of consumers bringing individual arbitration claims against the same company at the same time and over the same issue. This is different from a class action lawsuit and takes place outside of court.
- Does This Cost Anything?
- It costs nothing to sign up, and the attorneys will only get paid if they win your claim.
- How Much Could I Get?
- While there are no guarantees, those who sign up for the mass arbitration could potentially be entitled to hundreds of dollars.
Did you get a notice from 23andMe about a data incident?
If so, join others taking action against the company. It doesn’t cost anything to sign up, and all you need to do is fill out a quick form using the link below.
Attorneys working with ClassAction.org are looking into whether legal action can be taken against 23andMe in light of a recent data security incident.
On October 6, 2023, the company announced that customers’ profile information had been accessed without authorization by hackers who used recycled login credentials to break into users’ accounts. According to reports, information belonging to nearly 7 million users was listed for sale on the dark web in the wake of the incident.
The attorneys believe 23andMe may have failed to implement proper data security measures and are now gathering victims to take action against the company via mass arbitration.
If you’re a California or Illinois resident who received notice from 23andMe that your information was accessed in the breach, sign up by filling out this quick, secure form.
23andMe Data Breach Scandal: What Happened?
In early October 2023, a hacker claimed to have stolen information about at least 7 million 23andMe users in a data security incident that was confirmed by the company on October 6.
According to reports, the stolen data was likely obtained through a method called “credential stuffing,” which involves accessing accounts using consumers’ reused passwords that were exposed in other data breaches. A 23andMe spokesperson told BleepingComputer.com that the hackers initially gained access to “a small number of accounts” using this method but were then able to scrape data from “a larger yet undefined number of clients” who had opted into the platform’s “DNA Relatives” feature, which allows genetic relatives—even those who are only distantly related—to view information on each other’s profiles.
Importantly, 23andMe explains that each user who participates in DNA Relatives can download a file containing a list of related users who have opted into the feature. This downloadable list contains users’ display names and any personal details they’ve included in their profiles.
According to news reports, two databases shared on dark web forums in the wake of the data breach contained personal information belonging to 1 million 23andMe users of Ashkenazi Jewish heritage and 300,000 users of Chinese descent.
The leaked data reportedly included profile and account ID numbers, display names, genders, birth years and ancestry information, and the unauthorized actors may have also had access to users’ profile pictures and locations.
NBC News wrote that the database titled “ashkenazi DNA Data of Celebrities” may have come from a larger dataset and appeared to have been sorted to include only users of Ashkenazi heritage (most of whom are not celebrities).
In a notice posted on its website, 23andMe stated that it will notify customers directly if their data was found to have been accessed without authorization.
BleepingComputer.com reported that at least four class action lawsuits have been filed “seeking relief for the damage done by 23andMe’s failure to protect [users’] data.” The publication wrote that although affected users voluntarily opted into the DNA Relatives data-sharing feature, some believe 23andMe should have implemented layers of data protection to ensure that their information was not accessed without authorization.
“In this case, many people following proper security practices by enabling [two-factor authentication] on their accounts and using a strong and unique password still found themselves exposed, and their sensitive data leaked on cybercrime forums,” BleepingComputer.com reported.
Is This a Lawsuit? What Am I Signing Up For, Exactly?
You are not signing up for a lawsuit, but rather a process known as mass arbitration. This is a relatively new legal technique that, like a class action lawsuit, allows a large group of people to take action and seek compensation from a company over an alleged wrongdoing. Here is a quick explanation of mass arbitration from our blog:
“[M]ass arbitration occurs when hundreds or thousands of consumers file individual arbitration claims against the same company over the same issue at the same time. The aim of a mass arbitration proceeding is to grant relief on a large scale (similar to a class action lawsuit) for those who sign up.”
23andMe’s terms of service contain both a class action waiver and an arbitration clause requiring users to resolve most disputes via arbitration, a form of alternative dispute resolution that takes place outside of court before a neutral arbitrator, as opposed to a judge or jury.
It’s for this reason that attorneys working with ClassAction.org have decided to handle this matter as a mass arbitration rather than a class action lawsuit.
How Much Does This Cost?
It costs nothing to sign up, and you’ll only need to pay if the attorneys win money on your behalf. Their payment will come as a percentage of your award.
If they don’t win your claim, you don’t pay.
How Much Money Could I Get?
There are no guarantees as to how much money you could get or whether your claim will be successful. However, those who sign up for the mass arbitration could potentially be entitled to hundreds of dollars.
Sign Up and Take Action
If you are a California or Illinois resident who received notice from 23andMe that your information was accessed without authorization, join others taking action by filling out this quick, secure form.
Before commenting, please review our comment policy.