Data breaches are an unfortunate yet common occurrence this day and age. A couple months ago, we learned about a breach that leaked 2.9 billion data records, including users’ social security numbers. Last year, 23andme suffered a data breach of its own, but a lot changes in a year: While they can’t unleak your data, what they can do is pay you. Most of the payouts will likely be small, but for some victims, the slice of the pie is considerable.
What happened with 23andme?
Last October, 23andme announced they had been attacked. A bad actor used a tactic called credential stuffing, where they were able to gain access to 23andme accounts by utilizing the users’ credentials from their other compromised accounts. (As a side note, this highlights the importance of using a unique password for each of your accounts.)
Through this credential stuffing, this actor was able to obtain information from DNA Relatives, as the feature relies on sharing data with other users you are genetically related to. That includes information like the user’s display name, predicted relationships, and percentage of DNA that user shared with their matches. It also includes a number of optional data points if the user opted-in to sharing them, such as location, profile picture, birth year, and a link to their family tree. To that last point, a number of user data was compromised through the Family Tree feature.
Because of how the actor attacked the site, 23andme didn’t believe any internal networks were actually compromised. However, the upshot here is that roughly 14,000 users had their accounts compromised through credential stuffing, which, because of how the relative features work, lead hackers to the data of 6.9 million accounts (5.5 million from DNA Relatives, and 1.4 million from Family Tree).
Following a settlement, 23andme agreed to pay $30 million to affected users. Taken at face value, the math works out to roughly $4.35 per user. However, the actual payouts could be much more than that.
How much money is 23andme offering users?
The short answer? It depends. According to CNET, users with an “extraordinary claim” could receive up to $10,000. To qualify, you need to prove this data breach had a substantial impact on your life that lead to expenses on your end, such as from identity fraud or fraudulent tax returns.
If your personal health information leaked, 23andme could owe you up to $100. If you live in Alaska, California, Illinois, or Oregon, you could also see up to $100, since there are specific laws in these states that apply to genetic privacy.
How to join the 23andme lawsuit
If you were affected by the data breach, you will likely be contact about the lawsuit directly—either by email or snail mail. There may be instructions on this form for making your claim, but there are also existing resources on the web for applying for your share of the settlement.
Potter Handy, LLP, for example, will help you if you live in Illinois. If you live in the UK, you can use Join the Claim: If you confirm you were contacted about your eligibility in the suit, the site will connect you with a UK-based firm.
