The Credential Stuffing Attack and Its Fallout
California Attorney General Rob Bonta has filed a lawsuit against 23andMe, now operating as Chrome Holding Co., alleging the company failed to protect sensitive customer data. The legal action stems from a 2023 security incident that compromised the personal and genetic information of nearly 7 million customers, including over 855,000 Californians. The breach came to light in October 2023 when threat actors began selling stolen records online and leaked data samples to prove their authenticity.
23andMe confirmed the leaked data was genuine, attributing the breach to a credential stuffing attack that exploited accounts with weak passwords. The attackers first accessed data from customers who had opted into the platform’s DNA Relatives feature, then expanded their access to a much larger set of accounts not using that feature. The exposed information included genetic data, health predisposition details, ancestry and ethnicity records, biological relative information, and DNA matches.
Legal Claims and Regulatory Violations
The lawsuit contends that 23andMe failed to implement reasonable safeguards against credential stuffing attacks, missed multiple opportunities to detect the intrusion, and did not catch a coding error in the DNA Relatives feature that enabled the widespread breach. Attorney General Bonta also highlighted misleading public statements from the company. Before the incident, 23andMe claimed its security met high standards. After the breach, the company attempted to downplay the severity, suggesting the exposed data was largely public and blaming customers for password reuse while insisting its systems had not been compromised.
The complaint alleges violations of multiple California laws, including the Genetic Information Privacy Act, the Reasonable Data Security Law, the Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law. The state seeks an injunction to prevent further violations and statutory penalties ranging from $1,000 to $7,500 per violation. This lawsuit adds to the company’s legal troubles, which already included multiple class action lawsuits and multi-million dollar fines from data protection authorities, ultimately contributing to 23andMe’s bankruptcy filing.
Source: BleepingComputer
