The Shocking Rise and Fall of 23andMe. Exposed.

Show Notes

We expose and discuss the rise and fall of genetic testing company 23andMe. On September 13th, 2024 the once popular genetic testing company “23andMe” agreed to a $30 million settlement stemming from a data breach that affected nearly 7 million users. The next day, on September 14th every single board member resigned. Victims of the data breach are at risk of being targeted. This is their story.

We include a segment from Michelle Aquinas with Menlo Labs. Follow her at https://www.youtube.com/@michellethevc

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Transcript

Rise and Fall of 23andMe

 Chapters

• 00:00 The Rise and Fall of 23andMe
• 06:10 Data Breach and Its Consequences
• 11:59 Accountability and Security Failures
• 18:11 The Impact on Customers and Trust

 

Key topics: start up collapse, 23andme board resigns, 23andme data breach, rise and fall of 23andme, how security puts customers at risk, 23andme lawsuit, 23andme stock analysis, 23andme stock, what happens when companies dont manage security right, best ways to limit cyber attack liability, best ways to protect people from cyber crime, how data selling makes us the product, how to limit liability from data breach, identity and brand protection

 

We discuss the rise and fall of genetic testing company 23andMe. On September 13th, 2024 the once popular genetic testing company “23andMe” agreed to a $30 million settlement stemming from a data breach that affected nearly 7 million users. The next day, on September 14th every single board member resigned. Victims of the data breach are at risk of being targeted. This is their story.

 

Takeaways

 

• 23andMe's data breach affected nearly 7 million users.
• The company's board resigned following the breach and settlement.
• 23andMe's initial success was tied to the Human Genome Project.
• The company faced declining sales and privacy concerns by 2019.
• They launched a subscription service to address business model issues.
• The breach exposed users to potential ethnic targeting.
• 23andMe blamed users for reusing passwords instead of taking accountability.
• The company failed to implement basic cybersecurity measures.
• Customers are left vulnerable due to the company's negligence.
• Trust is crucial for customer relationships, and 23andMe lost it. 

We include a segment from Michelle Aquinas with Menlo Labs. Follow her at https://www.youtube.com/@michellethevc

Dino Mauro (00:01.368)
you

Dino Mauro (00:07.31)
This is the story of the rise and fall of 23andMe. It's a cautionary cyber flashpoint about what happens when companies don't manage security right. I mean, this shows us how security puts customers at risk of being placed on ethnic hit lists. You heard that right. Ethnic hit lists. This is a first on cyber crime junkies, and we hope it's the last.

Dino Mauro (00:37.314)
Hey David, thanks for inviting me. So I hear today's episode is about recent developments with that genetic heritage company 23andMe. Tell me what happened recently with them. There was that data breach and we heard there was some major upheavals with the executive team recently. Seems totally crazy. Dying to dig in. Tell us what you found out. You bet. Thanks for asking. yay, for sure. For everyone, remember guys.

You can always text Cybercrime Junkies direct to the podcast studio by sending a text straight to 904 -867 -4466. That number again is 904 -867 -4466. It sends your text question straight to us. Okay, tell us what you found out about this crazy story, David.

Dino Mauro (01:33.39)
On September 13th, 2024, the once popular genetic testing company 23andMe agreed to a $30 million settlement stemming from a data breach that affected nearly 7 million users. What's shocking here is the security risk places these customers at risk of being placed on ethnic hit lists as the stolen data is being curated, segmented, and sold on the dark web.

The next day on September 14th, every single board member at 23 and me resigned. The day before all the company board members resigned, Genetic Testing Company 23 and me agreed to pay $30 million to settle a class action lawsuit. Stemming from a 2023 data breach that exposed the personal information

of 6 .9 million customers. The settlement filed in federal court and pending a judge's approval resolves all claims and causes of actions related to the breach. But the company's entire board resigned and it stands today as a shell of its former self. It went from a multi -billion dollar valuation to one with trading shares less than a dollar. As pointed out by Michelle Aguinas,

head of strategy at Menlo Labs in Silicon Valley, she recently shared how this last week, how every single board member at 23andMe resigned. She did a good explanation of the company. Here, take a listen.

Given this recent news, I wanted to share 23andMe's story so we can all be a little more informed on their history and what's going on here. I don't have all the answers, but here's what I know. 23andMe was co -founded by Ann Wojcicki, the current CEO and now sole board director. This all started in 2003 when the Human Genome Project was completed, which successfully mapped 92 % of the human genome. This revolutionized the field of genetics and made it possible for 23andMe to emerge. The company was founded in 2006 with the mission of helping people access, understand, and benefit from the human genome.

Dino Mauro (03:52.206)
From the very beginning, they collected people's data, which was controversial even back then. They got their initial seed funding from Genentech, and in 2007, they raised a $3 .9 million Series A from Google Ventures. It's worth mentioning that Ann had married Google co -founder Sergey Brin earlier that same month. In 2008, they had a huge launch party in New York City and got a ton of press. They started hosting celebrity spit parties, and they got on the cover of New York Times and Wired. Time Magazine named them the 2008 Invention of the Year.

Their first ever kit cost a thousand bucks, but they were only able to sell around 15 to 20 kits a day at that point. So they continued to lower the price point. And when they got to $99, demand exploded. This early traction allowed them to raise a total of a hundred million dollars in venture funding between the years of 2009 and 2012. In 2013, the FDA ordered 23andMe to go through FDA approval.

They got approved in 2015 and this gave them a huge competitive advantage because now they were the only company that was legally allowed to sell these tests. By 2015, they had close to 1 million people in their database. That's when Anne realized that this library of data could be valuable for therapeutics. According to her, drugs that were developed using genetic information were two to three times more likely to be successful.

So they decided to raise $115 million in series E funding led by Fidelity and start their own therapeutics division. Literally using 23andMe test results to develop drugs and medication. That's when Richard Scheller got involved as chief science officer and head of therapeutics. He's one of the board members that just quit. He helped put together their entire strategic plan, who they had to hire, how much it would cost to build the lab, how long it would take to develop drugs. They became a biotech company. In September, 2017, they raised a $250 million series F round led by Sequoia Capital.

The partner on that deal, Rolaf Baata, is another one of the board directors that just resigned. By 2018, their brand awareness hit an all -time high, and they had close to 8 million people in their database. But by 2019, their sales started to decline, and there was growing concerns about privacy. People wanted to know what was happening to their data. They also faced a business model problem, because 23andMe is a one -time purchase, not a repeat one, which doesn't make it very scalable.

Dino Mauro (05:41.454)
So in 2020, they laid off 14 % of their workforce and launched 23andMe Plus, an annual subscription service. In June 2021, the company went public and hit its all -time high valuation of $6 billion. Using this IPO money, they acquired Lemonade Health to start providing telehealth services as well, since that had taken off after the pandemic. But this also increased their operating costs, and privacy concerns continued to grow. Their stock started plummeting. It dropped below $1 in 2023, and they risked being delisted from the NASDAQ. That brings us to this week. Their whole board just quit.

They released a statement telling Anne, quote, we have yet to receive from you a fully financed, fully diligent, actionable proposal that's in the best interest of non -affiliated shareholders. And again, this comes following a major data breach. I've personally done a 23 me test. I know that many of you listening to this have to, so please consider helping me amplify this message by liking, commenting, or reposting this video. That's what these platforms are here for. I'm Michelle and thanks so much for watching.

Dino Mauro (06:37.262)
As Michelle explained by 2018, their brand awareness hit an all time high and they had close to 8 million people in their database. But by 2019, their sales started to decline. Their stock started plummeting. It dropped below a dollar in 2023 and they risked being delisted from the NASDAQ.

This week, their whole board just quit. They released a statement telling Anne, quote, We have yet to receive from you a fully financed, fully diligent, actionable proposal that's in the best interest of non -affiliated shareholders. And again, this comes following the major data breach we are now discussing. The claims made by victim customers of 23andMe were made in allegations inside 40 lawsuits launched across the U .S. against 23.

and me because of the company. The lawsuits involved 23andMe's disclosure last October that a threat actor accessed millions of users' account information. But as we will see, their disclosure was not really voluntary. The company had not done what most experts agree are the best ways to limit cyberattack liability.

They had not managed data well enough to detect that threat actors had been inside their systems for nearly five months. They hadn't detected it themselves and instead blamed users using customer login credentials that were the same on 23 and me as they were on previously compromised websites. The hackers accessed various forms of information from health related data to ancestry reports.

Let's pull on that thread for just a bit before we move on. We have repeatedly shared true cybercrime stories on this podcast and YouTube showing everyone why they cannot, especially in 2024 approaching 2025, reuse passwords. The dangers and risks are real and expose you personally to costly financial privacy and identity harm.

Dino Mauro (09:01.942)
as well as reputational damage. But now listeners, you may be sitting there listening and saying to yourself, come on man, it is too damn hard to memorize a hundred different passwords. And we have answered you and your inner self hundreds of times on how simple it is to solve this problem of how to avoid reusing passwords. Look, are you still reusing passwords?

Here's why you should stop. Let me walk you through it. With cyber threats evolving rapidly, data security is more crucial than ever. Reusing passwords can lead to significant risks. If one account is breached, all accounts with the same password are at risk. Once the app or website is breached, then your password is for sale on the dark web. And considering many people reuse their password,

hundreds of times the risks of a threat actor hacker. Finding your great password online is extremely high. They can then log into any other site and impersonate you online. They can take control over your entire digital life. This exposes you a simple hacker tactic of what's called credential stuffing. Credential stuffing is where attackers exploit reused passwords to access multiple accounts. What is also a problem

is that reused passwords make it challenging to identify compromised accounts. For example, in the most recent Uber breach, as well as in the 2020 Twitter breach, attackers used reused passwords to access high profile accounts leading to significant privacy and security issues. If your password is reused, you risk compromising all things that are important to you. Your privacy, your identity,

your private health information, your financial data and work related information. To help you, we have many no cost reference resources. You can download our take home resources available on our website at cybercrimejunkies .com and find ways to use a password manager, create long and complex passwords and update them right now, circling back.

Dino Mauro (11:23.95)
how the company handled the data breach was less than ideal. Specifically, the company actually blames you.

You for the breach. Rather than taking accountability for their own alleged negligence in maintaining proper security measures of your data, 23andMe actually blamed users. They blame you. They blame you for reusing your passwords. They say your reuse of passwords exposed them to credential stuffing.

The company claims that your actions of reusing your passwords makes them available for sale on dark web forums. While technically or factually correct, it's not the whole story. Not only was it a terrible approach to take when a data breach happens because failing to take accountability destroys credibility and trust in a brand for most people. It was a disgraceful approach to take. We read about many in the industry saying this because

they allegedly failed to have in place basic cyber -secured design. Security by design means the platform code is designed in a secured manner. This is critical when hosting a platform and profiting off the general public. Here, they failed to have standard real -time detection, adequate threat hunting, and they had designed their platform in a way which allowed

the initial compromise to expand to millions more. Here is what we mean. The threat actors initially breached only about 14 ,000 or 0 .1 % of the company's user profiles with the credential stuffing compromised credentials. Less than 0 .1%. That is 0 .1%. Doing basic math by analogy, this means that any fault

Dino Mauro (13:25.55)
they could attribute to their users only amounted to less than 0 .1 % of the fault here. The major fault it seems is that hackers were able to access millions more accounts through the design of their platform. Specifically, their platform had a Dane called DNA relatives, a feature that users can opt in to utilize to be able to connect with others on the platform.

who share their DNA. This allowed the threat actor hackers to see geographic and demographic information, photos and further ancestry data of millions of people connected in any way to the 0 .1 % of the initial breach. That failure to secure by design their platform from the beginning is what made the initial compromise exponentially worse.

And here is a sample true crime story showing you what we mean and the risk of harm this company subjected real life US citizens to rewind four years ago. And a man living in the United States, we will call him J .L., decided on a whim to send a tube of his spit to the genetic testing site 23andMe in exchange for an ancestry.

JL, like millions of other 23andMe participants before him, says he was often asked about his ethnicity and craved a deeper insight into his identity. He said he was surprised by the diversity of his test results, which showed he had some Ashkenazi Jewish heritage. JL said he didn't think much about the results, not until he heard about the data breach and the hacker worry.

going by the pseudonym Golem. You Golem had offered to sell the names, addresses, and genetic heritage. That's right, the names, home addresses, and genetic heritage. And similar data for all Ashkenazi Jewish heritage people belonging to the 23andMe data breach. In a split second, suddenly, JL worried his own flippant decision to catalog his genes could put him and his family at risk.

Dino Mauro (15:50.67)
I didn't know my family was going to potentially be a target, JL said. I may have put my family and myself in danger for something I did out of curiosity more than anything. JL, who asked to only be identified by his initials due to the ongoing privacy issues, is one of the plaintiffs listed in the class action lawsuits against 23 and me.

Plaintiffs claim the company failed to adequately notify users of Jewish and Chinese heritage after they were allegedly targeted. The lawsuit claims hackers placed those users in specially curated lists that could have been sold to individuals looking to do harm. You see, here in America, we may not think much about people knowing publicly our genetic heritage, but that's not the way 80 %

of the entire rest of planet operates. Most Americans do not value their privacy and private data, but that is not the case in the rest of the world. There is recent history and experiences that hundreds of millions of people around the world have had. Involved genocide, prejudice, discrimination, and extermination, all based on one's genetic heritage.

It's literally the most important thing someone needs to keep private for their own safety. And what did 23andMe do? They blamed you. They blamed you for reusing your passwords. They didn't exercise standard security measures and they again blamed you. All while the truth was something entirely different. see, in cybersecurity, you must own it. Take accountability. If a breach happens,

Admit it. Then the chance is yours. The chance is yours to show you did everything reasonable under the circumstances. You see, a company can't completely be blamed in the minds of its customers. If they take reasonable care to protect the precious private information they hold on to, they have a duty to exercise reasonable care to protect your data as a customer. If you as a company do this,

Dino Mauro (18:11.242)
customers will continue to trust you. After all, a criminal cyber attack is an intervening criminal act. And so long as you show you were doing the right things when it happened, we continue to trust you and trust your brand. Remember trust after all is a feeling regularly. What's just as important is that by taking accountability followed by demonstrating you exercised reasonable care,

You can avoid what happened here to 23 and me. They blew the chance they had that any potential reputational harm would be inoculated, but not for 23 and me. They did not exercise reasonable care, according to the allegations in the 40 lawsuits. And they did agree to pay $30 million in response, all after blaming their customers.

but the truth always comes out and the truth can hurt. 23andMe only publicly acknowledged the hackers attacks after one user posted about the up for sale data on a 23andMe subreddit in early October. An investigation digging into the incident revealed hackers had actually been trying, sometimes successfully, to gain access since

at least April 2023. What does that mean? Why is that fact important? Simple. The threat actors had gained access for five months before it became public knowledge of the breach. The attacks are alleged to have continued for nearly five months through the end of September. In an email sent to the Guardian, a 23andMe spokesperson said the company did not detect

a breach within 23andMe systems and instead attributed the incident to compromised recycled login credentials from certain users so they didn't detect the breach. Yet the threat actors had the data and were curing racially -motivated lists for sale based on people's genetic heritage. And 23andMe had not detected the breach and they blamed their customers.

Dino Mauro (20:37.835)
hackers accessed users uninterrupted raw genotype data and other highly sensitive information like health predisposition reports and carrier status reports gleaned from the processing of a user's genetic information. Worse still, 23andMe confirmed the thieves also accessed other personal information from up to 5 .5 million people who opted into a feature that lets them find and connect

with genetic relatives. The failures of 23 and me exposed their customers to being placed on a genetic herdigay hit list. Did you catch that? As a customer who they profited from, you are now at risk of being placed on a genetic hit list. In other words, hackers who gained access to a user's account.

via the compromised passwords were also able to suck up data about potential relatives. The optional feature gives users insight into a variety of data points, including their relatives name, their predicted relationship, and the percentage of DNA shared with matches. It can also include an individual ancestry report, matching DNA segments, and uploaded photos. Eli Wade Scott,

One of the attorneys representing JL in the class action lawsuit said these allegedly ethnicity specific groupings could amount to a hit list. Multiple attorneys and genetic privacy experts say the company should have seen such an attack coming and done far more to safeguard this highly sensitive, intimate data.

You shouldn't be able to do an attack like this over the course of months and have nobody at 23 and me notice said Wade Scott. Barbara Pranesack, a University of Vienna professor for comparative policy was herself a 23 and me customer. She said the company had a long time to protect itself and to establish data breach protocols. 23 and me, she said, seemed to have done neither.

Dino Mauro (22:58.923)
This is almost a textbook case of how things should not be done. She added that blaming consumers for their own relatively minor security lapses is morally and politically very dumb. Regardless of the settlement and 23andMe paying $30 million, the allegations will live on in infamy. As the jail lawsuit filed by Wade Scott reads, 23andMe lied to customers about how it would protect their data.

failed to reasonably protect their data in accordance with industry standards, lied about the scope and severity of the breach, failed to notify its Jewish and Chinese customers that they were specifically targeted, and in the end exposed them to a host of threats and dangers that they'll never see coming. In the end, 23andMe is left without any board members and a stock less than a dollar.

even after this lawsuit is settled. The victims here are their customers. Customers that the company profited off of for years and who trusted the company with their genetics are left with a risk that they will never see coming. Customers will continue to face threats caused by the acts of 23andMe that they will never see coming. That's the legacy of this brand. We, the customers, will never see it coming.

That's a feeling that is hard to get past. We thank you for the 23andMe. Enough said.

Dino Mauro (24:39.275)
Holy crap, David. Great story you shared, but wow. That was a lot. I personally, I don't know. This makes me furious. I regret ever being their customer. I totally regret it. Yeah, I totally understand. Feel the same way. Enough said.

Dino Mauro (25:00.821)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award -winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.