Lawsuit Alleges 23andMe’s Data Breach Targeted Jewish and Chinese Users

In 2023, a data breach took place between May and September at 23andMe, the DNA testing company. Uncovered in October, it was disclosed that hackers breached accounts by exploiting usernames and passwords that were recycled by users on multiple sites. While this was initially blamed on the customers, the extent of the fallout was discovered in December, when the result of the investigation was published.

Approximately 14,000 accounts were accessed by cybercriminals because of reused passwords. Compromised accounts allowed the hackers to gather more data via 23andMe’s Family Tree feature and DNA Relatives feature, where names, birthdays, and locations were accessible. The security breach affected almost half of the company’s total customer base, equating to about 6.9 million customers.

It was also found that specific users of Chinese or Ashkenazi Jewish descent were seemingly targeted in the breach. This crucial detail was omitted in the company’s communication to its users. It came to light when Wired reported, on the same day as 23andMe announced the breach, that hackers had published data on 1 million people with Jewish ancestry and “hundreds of thousands” people of Chinese ancestry on the dark web.

The hackers were selling information, including full names and home addresses, at prices ranging from $1 to $10 per account. 23andMe confirmed the breach in a letter to its affected users, but they didn’t mention that this stolen information was chiefly of Ashkenazi Jews.

In the immediate aftermath of the breach announcement, a violent attack was launched by Hamas on Israel, killing 1,200 people. This caused a significant rise in antisemitism worldwide, where Jews became targets of verbal and physical abuse, particularly in the U.S., where 23andMe is based.

One of the victims of the data breach, who found out his Ashkenazi Jewish heritage through a 23andMe DNA test, raised concerns about the potential danger of the stolen information being used against him and his family. He told The New York Times, “Now that the information is out there, somebody could come in and decide that they’re going to take out their frustrations on me.”

Following these events, U.S. Representative Josh Gottheimer expressed serious concerns about the data being used maliciously against Jewish people. He requested an FBI investigation into the data breach situation.

As the lawsuit against the company proceeds, other businesses may also become implicated in the data breach, such as Sequencing. Sequencing has been accused of sharing DNA reports with third-party companies without customer consent, violating the Illinois Genetic Information Privacy Act. It was discovered that 23andMe was one of the third parties that received the shared data. Although there’s no evidence yet, if any information stolen from 23andMe came from Sequencing, this could mean that the data breach has affected individuals who are not even direct customers of 23andMe, raising alarming questions about the scope of this issue.