Security News > 2023 > December > 23andMe responds to breach with new suit-limiting user terms

Security in brief The saga of 23andMe's mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts.

In an update on Tuesday to a blog post sharing details of the attack, 23andMe said the breach, first reported in October, was enabled via credential stuffing, through which an attacker uses username and password combinations from other breaches to try breaking into unrelated accounts.

Data swiped in the breach included names, ancestry information, self-reported location, birth year, links to family trees, and anything that may have been included in self-descriptions added to user profiles.

An additional 1.4 million sets of Family Tree data was stolen as well, 23andMe said, which includes similar information as well as relationships to the individuals whose accounts were compromised.

In response, 23andMe seems very concerned at the potential legal ramifications of the breach, and has updated its terms of service in what appears to be an attempt to avoid a wave of lawsuits.

A side-by-side comparison of 23andMe's new terms of service, dated November 30, and its previous version from October 4, teased out a new dispute resolution period of 60 days during which aggrieved customers agree to "First attempt to negotiate any dispute informally before either party initiates any arbitration or court proceeding."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/11/in_brief_security/