It took 5 months for 23andMe to notice they were hacked

What if hackers didn't just steal your credit card number, but the blueprints of your biological history? It's what happened to 23andMe's customers in a breach that unfolded over five silent months according to a legally required filing 23andMe sent to California’s attorney general. Hackers didn't just peek into personal histories; they barged in, making off with data from 6.9 million individuals. This breach wasn't a quick smash-and-grab; it was a marathon of vulnerability exploitation, unnoticed until the stolen data took a bow on the dark web's stage.


This wasn't a cutting-edge digital attack but a basic password exploit. Hackers leveraged reused passwords to brute-force their way into accounts. Then, escalating the problem, they used the DNA Relatives feature to move laterally, compromising the data of millions who weren't directly hacked but opted into connectedness.

The Aftermath and the Accountability

23andMe then engaged in a troubling blame game. Users were blamed for "recycling" passwords while lawsuits piled up. The company attempted to shield itself with last-minute changes to the Terms of Service. .

Lessons learned

In this data breach scenario, the company remained unaware of the hackers infiltrating customer accounts for an alarming duration of approximately 5 months. The hacking activities began in April 2023 and continued through most of September before the breach was detected in October. This prolonged period of undetected access allowed the attackers to systematically exploit vulnerabilities, leading to the significant compromise of user data.

This extensive time frame before detection underscores the necessity for continuous monitoring and rapid response mechanisms within cybersecurity frameworks. It highlights a critical lesson for web developers and site owners: the importance of implementing real-time anomaly detection systems and having an effective incident response plan in place. These measures are essential to identify and mitigate unauthorized access swiftly, minimizing potential damage and protecting user data from such breaches:

  1. Embrace Strong Authentication: Implement multi-factor authentication (MFA) across your platforms. It's an additional gate, one that requires more than just a key (password) to open.

  2. Detect Early, with honeypots: Invest in monitoring tools that can detect unusual access patterns or breach attempts. A honeypot (like we do at HackersBait) can let you know a hacker go through your data, Early detection is the difference between a close call and a full-blown data disaster.

  3. Foster Transparency and Trust: In the event of a breach, communicate clearly, openly, and promptly with your users. Trust is hard to earn and easy to lose; handle it with care.

  4. Educate and Empower Your Users: Provide guidance on creating strong, unique passwords and the importance of security practices.

  5. Review and Revise Security Measures Regularly: The digital landscape evolves, and so do the tactics of those looking to exploit it. Regularly review your security measures to ensure they're up to date.

In Conclusion

WebSecurity isn't static; it's a dynamic, ongoing effort. By adopting robust security measures and fostering a culture of transparency and education, we can protect not just our data but the trust of those we serve.