Advertisement

Lawsuit says 23andMe hackers targeted users with Chinese and Ashkenazi Jewish heritage

And the company failed to notify users that their details were compiled in curated lists and leaked online.

JasonDoiy via Getty Images

In October 2023, 23andMe admitted that it suffered a data breach that compromised its users' information. The company has been hit with several lawsuits since then, and according to The New York Times, one of them is accusing 23andMe of failing to notify customers that they were specifically targeted for having Chinese and Ashkenazi Jewish heritage. They also weren't told that their test results with genetic information had been compiled in curated lists that were then shared on the dark web, the plaintiffs said. 23andMe recently released a copy of the letters it sent to affected customers, and they didn't contain any reference to the users' heritage.

The lawsuit was filed in federal court in San Francisco after the company revealed that the hack had gone unnoticed for months. Apparently, the hackers started accessing customers' accounts using login details already leaked on the web in late April 2023 and continued with their activities until September. It wasn't until October that the company finally found out about the hacks. On October 1, hackers leaked the names, home addresses and birth dates of 1 million users with Ashkenazi Jewish ancestry on black hat hacking forum BreachForums.

After someone responded to the post asking access to "Chinese accounts," the lawsuit said the poster linked to a file containing information on 100,000 Chinese users. The poster also said they had access to 350,000 Chinese profiles and could release more information if there was enough interest. In addition, the same poster allegedly returned to the forum in mid-October to sell data on "wealthy families serving Zionism" after the explosion at Al-Ahli Arab Hospital in Gaza.

"The current geopolitical and social climate amplifies the risks" to users whose data was exposed, according to the lawsuit, since the leaked information included their names and addresses. The plaintiffs want their case to be heard by a jury and are seeking compensatory, punitive and other damages.