The Guardian (February 17, 2024) — The company pointed at people who ‘failed to update their passwords’ as sensitive data was offered for sale on forums.

Three years ago, a man in Florida named JL decided, on a whim, to send a tube of his spit to the genetic testing site 23andMe in exchange for an ancestry report. JL, like millions of other 23andMe participants before him, says he was often asked about his ethnicity and craved a deeper insight into his identity. He said he was surprised by the diversity of his test results, which showed he had some Ashkenazi Jewish heritage.

JL said he didn’t think much about the results until he learned of a huge breach at the company that exposed the data of nearly 7 million people, about half of the company’s customers. Worse, he later learned of a hacker going by the pseudonym “Golem” who had offered to sell the names, addresses and genetic heritage reportedly belonging to 1 million 23andMe customers with similar Ashkenazi Jewish heritage on a shadowy dark web forum. Suddenly, JL worried his own flippant decision to catalog his genes could put him and his family at risk.

“I didn’t know my family was going to potentially be a target,” he said. “I may have put my family and myself in danger for something I did out of curiosity more than anything.”

JL, who asked to only be identified by his initials due to the ongoing privacy issues, is one of two plaintiffs listed in a recent class-action lawsuit filed in California against 23andMe. Plaintiffs claim the company failed to adequately notify users of Jewish and Chinese heritage after they were allegedly targeted. The lawsuit claims hackers placed those users in “specially curated lists” that could have been sold to individuals looking to do harm.

23andMe has since confirmed hackers gained access to 14,000 user accounts over a span of five months last year, some of which revealed detailed, sensitive reports on users’ health. The company revealed details on the exact types of data stolen in its months-long breach in a January data breach notification letter sent to California’s attorney general earlier last month. Hackers accessed users’ “uninterrupted raw genotype data” and other highly sensitive information, like health predisposition reports and carrier-status reports gleaned from the processing of a user’s genetic information. Worse still, 23andMe confirmed the thieves also accessed other personal information from up to 5.5 million people who opted in to a feature that lets them find and connect with genetic relatives. Read more here.