23andMe Breach Compounded by Theft of Ethnicity Data

Corporate Counsel - ALM

What You Need to Know

  • 23andMe disclosed the theft of customer data in early October.
  • The company says that rather than breaching its defenses, hackers gained access by amalgamating logins and passwords from other sites that were compromised.
  • Customers have filed two dozen lawsuits, and regulators have launched investigations.


Joshua Gold, a shareholder in the New York office of Anderson Kill and co-chair of its cyber insurance recovery group, said hackers are increasingly amalgamating stolen information and leveraging it to unlock more doors, a practice known as credential-stuffing.

It’s a tactic that’s effective partly because users often use the same password for many of their online accounts.

“They’re just stealing data, and they’re starting to combine it. These hackers are able to put it all together and put it up for sale to other criminals,” he said.

In lawsuits that have begun to pile up against 23andMe, customers say the company’s explanation doesn’t get it off the hook.


To read this full article, click here (subscription required).

Related People

Cyber Insurance Recovery Attorney | Anderson Kill P.C.
Joshua Gold
New York

Related Practice Areas