23andMe continues to garner negative press for its incident response. It seems like only yesterday that they were trying to blame victims for reusing passwords as the cause of a credential stuffing attack that resulted in the theft of ancestry and genetic data of almost seven million users. But how will they explain to regulators and juries how they didn’t even detect the breach for months?
TechCrunch reports:
In a data breach notification letter filed with regulators this weekend, 23andMe revealed that hackers started breaking into customers’ accounts in April 2023 and continued through most of September.
In other words, for around five months, 23andMe did not detect a series of cyberattacks where hackers were trying — and often succeeding — in brute-forcing access to customers’ accounts, according to a legally required filing 23andMe sent to California’s attorney general.
Read more at TechCrunch.