News 23andMe confirms hackers accessed data of 6.9 million users

[The Helper]

Genetic testing 23andMe confirmed Monday that hackers stole personal data from approximately 6.9 million users — or roughly half of its entire customer base.

The California-based company announced last week that hackers had accessed the personal data of 0.1% of its customers — around 14,000 individuals.

Hackers were able to breach those accounts because the customers had used the same username and password on 23andMe as they had on other websites that had been previously compromised.

By accessing those accounts to access "Credential Stuffed Accounts," hackers were able to access roughly 5.5 million DNA Relatives profile files. An additional 1.4 million customers participating in the DNA Relatives feature had their Family Tree profile information access, which is a limited subset of the DNA Relative profile information.

23andMe confirms hackers accessed data of 6.9 million users

Genetic testing company 23andMe confirmed Monday that hackers stole personal data from 6.9 million customers, or roughly half of all users.

www.foxbusiness.com

 

[The Helper]

After hack, 23andMe gives users 30 days to opt out of class-action waiver

Anyone who fails to opt out "will be deemed to have agreed to the new terms."

Shortly after 23andMe confirmed that hackers stole ancestry data of 6.9 million users, 23andMe has updated its terms of service, seemingly cutting off a path previously granted to users seeking public accountability when resolving disputes.

According to a post on Hacker News, the "23andMe Team" notified users in an email that "important updates were made to the Dispute Resolution and Arbitration section" of 23andMe's terms of service on November 30. This was done, 23andMe told users, "to include procedures that will encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed."

In the email, 23andMe told users that they had 30 days to notify the ancestry site that they disagree with the new terms. Otherwise, 23andMe users "will be deemed to have agreed to the new terms." The process for opting out is detailed in the site's terms of service, instructing users to send written notice of their decision to opt out in an email to [email protected].

It is not necessarily obvious to users exactly what has changed in the dispute resolution and arbitration section of the ToS. Some users may recall that 23andMe had previously required users to agree to arbitration, but recent changes seem to have removed users' previously acknowledged right to seek public injunctive relief for any irreparable harm. That seems significant since 23andMe's update comes when millions of 23andMe users feel vulnerable following a cyberattack that leaked a million data points, Wired reported.

After hack, 23andMe gives users 30 days to opt out of class-action waiver

Anyone who fails to opt out "will be deemed to have agreed to the new terms."

arstechnica.com