23andMe Data Breach Scandal: Attorneys Investigating Hack

Attorneys working with ClassAction.org are looking into whether legal action can be taken against 23andMe in light of a recent data security incident.

On October 6, 2023, the company announced that customers’ profile information had been accessed without authorization by hackers who used recycled login credentials to break into users’ accounts. According to reports, information belonging to nearly 7 million users was listed for sale on the dark web in the wake of the incident.

The attorneys believe 23andMe may have failed to implement proper data security measures to keep consumers' information safe and are now gathering victims to take action against the company via mass arbitration.

23andMe Data Breach Scandal: What Happened?

In early October 2023, a hacker claimed to have stolen information about at least 7 million 23andMe users in a data security incident that was confirmed by the company on October 6.

According to reports, the stolen data was likely obtained through a method called “credential stuffing,” which involves accessing accounts using consumers’ reused passwords that were exposed in other data breaches. A 23andMe spokesperson told BleepingComputer.com that the hackers initially gained access to “a small number of accounts” using this method but were then able to scrape data from “a larger yet undefined number of clients” who had opted into the platform’s “DNA Relatives” feature, which allows genetic relatives—even those who are only distantly related—to view information on each other’s profiles.

Importantly, 23andMe explains that each user who participates in DNA Relatives can download a file containing a list of related users who have opted into the feature. This downloadable list contains users’ display names and any personal details they’ve included in their profiles.

According to news reports, two databases shared on dark web forums in the wake of the data breach contained personal information belonging to 1 million 23andMe users of Ashkenazi Jewish heritage and 300,000 users of Chinese descent.

NBC News wrote that the database titled “ashkenazi DNA Data of Celebrities” may have come from a larger dataset and appeared to have been sorted to include only users of Ashkenazi heritage (most of whom are not celebrities).

In a notice posted on its website, 23andMe stated that it will notify customers directly if their data was found to have been accessed without authorization.

BleepingComputer.com reported that at least four class action lawsuits have been filed “seeking relief for the damage done by 23andMe’s failure to protect [users’] data.” The publication wrote that although affected users voluntarily opted into the DNA Relatives data-sharing feature, some believe 23andMe should have implemented layers of data protection to ensure that their information was not accessed without authorization.

“In this case, many people following proper security practices by enabling [two-factor authentication] on their accounts and using a strong and unique password still found themselves exposed, and their sensitive data leaked on cybercrime forums,” BleepingComputer.com reported.

Is This a Lawsuit? What Am I Signing Up For, Exactly?

You are not signing up for a lawsuit, but rather a process known as mass arbitration. This is a relatively new legal technique that, like a class action lawsuit, allows a large group of people to take action and seek compensation from a company over an alleged wrongdoing. Here is a quick explanation of mass arbitration from our blog:

“[M]ass arbitration occurs when hundreds or thousands of consumers file individual arbitration claims against the same company over the same issue at the same time. The aim of a mass arbitration proceeding is to grant relief on a large scale (similar to a class action lawsuit) for those who sign up.”

23andMe’s terms of service contain both a class action waiver and an arbitration clause requiring users to resolve most disputes via arbitration, a form of alternative dispute resolution that takes place outside of court before a neutral arbitrator, as opposed to a judge or jury.

It’s for this reason that attorneys working with ClassAction.org have decided to handle this matter as a mass arbitration rather than a class action lawsuit.

How Much Does This Cost?

It costs nothing to sign up, and you’ll only need to pay if the attorneys win money on your behalf. Their payment will come as a percentage of your award.

If they don’t win your claim, you don’t pay.

How Much Money Could I Get?

There are no guarantees as to how much money you could get or whether your claim will be successful. However, those who sign up for the mass arbitration could potentially be entitled to hundreds or thousands of dollars under state privacy laws.

Before commenting, please review our comment policy.