DNA testing company 23andMe fined for data breach
Genetic testing company 23andMe got hit with a £2.3m fine by the UK's privacy watchdog after a 2023 data breach exposed sensitive details—like names, family trees, and health reports—of more than 150,000 UK users.
The leak came to light when stolen data started popping up on online forums.
Hackers exploited weak security to access user accounts
Hackers pulled off what's called a "credential stuffing" attack: they used stolen passwords from other sites to break into accounts because 23andMe didn't require strong two-factor authentication and many people reused passwords.
Even though only a few accounts were directly hacked, the way 23andMe's system shared info meant hackers could access data from around 6.9 million users worldwide.
Company says it'll take privacy more seriously going forward
After the breach, 23andMe boosted its security and is now offering affected users two years of free identity theft monitoring.
The company says it'll take privacy more seriously going forward—including limiting future data sales—but it's also facing several lawsuits over how it handled user information.