Inside story

23andMe faces lawsuit as hackers sell information on users with Jewish heritage

DNA testing company 23andMe blames users’ recycled passwords for data breach that affected 6.9 million accounts; August lawsuit indicates other companies may be implicated

23andMe headquarters in Silicon Valley, Sunnyvale, California, July 26, 2020. (Michael Vi/Shutterstock.com)
23andMe headquarters in Silicon Valley, Sunnyvale, California, July 26, 2020. (Michael Vi/Shutterstock.com)

DNA testing company 23andMe is being accused of failing to notify users with Ashkenazi Jewish and Chinese heritage that they were specifically targeted in a data breach last year and that their information was collated into lists that were sold on the dark web, according to a new lawsuit.

In an October 6 blog post on its website, the company initially disclosed the data breach, which had been going on undetected between May and September of 2023. The post accuses customers of being the source of the issue, saying that the hackers gained access to information by targeting users who recycled the same username and password across multiple websites.

In an update to the blog a few days later, 23andMe said it was investigating the breach with the help of “third-party forensic experts” and federal law enforcement officials.

The investigation was completed in December, and an update to the blog concluded that the hackers had gained access to roughly 14,000 accounts whose users utilized recycled passwords. Through the breached accounts, further information was collected via 23andMe’s Family Tree feature and the DNA Relatives feature in which people can choose to share data with potential genetic relatives. In both cases, other people’s names, locations, and birthdays are available to the users.

According to 23andMe, the hackers gained information on a total of 6.9 million of the website’s accounts, which is almost half of all the company’s customers.

While the company released this information in December and said it had notified the specific users who were affected by the breach, it did not mention at any point that the hackers had seemingly specifically targeted people with Chinese or Ashkenazi Jewish heritage.

A sample for a DNA test. (Utah 778 via iStock)

Meanwhile, on the same day that 23andMe initially announced the breach in its blog, Wired reported that data, including full names and home addresses, on one million people with alleged Jewish ancestry had been posted on hacking sharing platform Breach Forums a few days earlier. The hackers later revealed information on 100,000 people with Chinese ancestry as well.

The report added that the hackers were selling information on specific accounts for between $1 and $10.

Last week, Tech Crunch shared the letter that 23andMe had sent out to users whose data was stolen. The company explained that it had only become aware of the breach after someone posted a sample of the stolen information on the unofficial 23andMe subreddit and claimed to have more.

While the letter also mentioned that some users’ information was posted on the Breach Forum, it still did not inform affected users that the information being shared on the dark web was primarily of Ashkenazi Jews.

A day after the data breach was first shared, Hamas launched an unprecedented attack on Israel on October 7, killing some 1,200 people, mostly civilians, in the South and kidnapping 253. Israel immediately declared war on Hamas in response.

Following the attack and the beginning of the war, rates of antisemitism spiked worldwide with Jews being targeted by verbal and physical abuse in many countries, including in the US, where 23andMe is based.

Closeup of hands typing on a keyboard. (Nattakorn Maneerat via iStock)

One of the victims in the data breach, and a plaintiff in the lawsuit, J.L. from Florida, told The New York Times that he had discovered he had Ashkenazi Jewish heritage when he did 23andMe’s DNA test last year.

He added that with surging antisemitism, he feared the information gained by the hackers would be used against him and his family.

“Now that the information is out there, somebody could come in and decide that they’re going to take out their frustrations [regarding the war in Gaza] on me,” he told The New York Times.

Following the data breach and reports that Jews were targeted in the hack, US Representative Josh Gottheimer, a Democrat of New Jersey, announced on January 11 that he was demanding the FBI investigate the data breach, sharing a letter he had sent to the bureau’s director Christopher Wray.

“I am deeply concerned that this data could be purchased by nefarious actors who seek to harm Jewish people solely based on their heritage or religion, both in the United States and globally,” he wrote.

His other concern, he said, was that the leaked data could be used to empower Hamas and its supporters to attack American Jews and their families.

Undated image made available by the National Human Genome Research Institute shows the output from a DNA sequencer. (NHGRI via AP, File)

“History tells us that when extremists threaten genocide against Jews, we should take them seriously and take swift and robust actions to prevent such atrocities,” he added.

As the lawsuit develops, other companies could potentially be implicated by 23andMe’s data breach, as indicated by a lawsuit from August against DNA testing company Sequencing.

David Melvin, who is also the lead plaintiff in the 23andMe lawsuit, was granted class action lawsuit certification in August alongside others in Illinois after accusing Sequencing of sharing its DNA reports with third-party companies without their consent. By doing so the company was violating the Illinois Genetic Information Privacy Act, which prohibits DNA sequencing companies from sharing information with any party other than the customers and other parties authorized by them.

One of the third-party companies with whom Sequencing shared DNA reports of customers was 23andMe. There is not yet any evidence that any of the information stolen from 23andMe originated from Sequencing. However, if any of the data was given to 23andMe as a third party, it is likely that the relevant people did not consent to their personal information being given to the company and do not yet know it has potentially been stolen as a result of Sequencing’s alleged information distribution.

If true, this could mean that the 23andMe data breach has affected people who are not even direct customers of the company, raising questions on the scope of the issue.

Most Popular
read more: