23andMe Agrees to Pay Millions in Settlement for Major Data Breach

23andMe, the biotech firm known for its DNA testing kits, has recently made headlines after agreeing to pay tens of millions of dollars to the victims of a major data breach that occurred in 2023.

The breach, which affected over six million individuals, exposed a significant amount of personal information, including files related to users’ ancestry. As a result, 23andMe has committed to improving its security measures, such as implementing mandatory multi-factor authentication (MFA), protecting against credential stuffing attacks, and conducting annual security audits.

Despite the settlement, 23andMe maintains its innocence and denies any wrongdoing related to the breach. The company specified in the settlement agreement that this agreement should not be seen as an admission of guilt or liability.

One of the key factors that led to the breach was the lack of MFA on certain user accounts, allowing hackers to access data through previously compromised credentials. The hackers were able to gather information from additional users who had opted into the DNA Relatives feature offered by 23andMe.

While 23andMe’s legal team argued that user negligence played a role in the breach, many customers were impacted through no fault of their own. The compromised data reportedly did not include sensitive information such as social security numbers or payment details, but it still exposed the personal information of millions of customers.

In total, approximately 6.9 million customers, including 6.4 million U.S. residents, were affected by the breach. In a separate incident in October 2023, threat actors claimed to be selling genetic profile data for millions of British and Ashkenazi Jewish individuals.

As 23andMe works to enhance its security protocols and protect user data, the aftermath of this major breach serves as a reminder of the importance of prioritizing cybersecurity in the digital age.