WTF?! It seems companies being infiltrated by hackers and not knowing about it for months is becoming a common sight in the tech world. Following Microsoft and HPE, genetic testing provider 23andMe has now confirmed that the intrusion it experienced last year, which led to the theft of data on millions of customers, went unnoticed for five months.

In its mandatory breach notification letter filed to California's attorney general, 23andMe confirmed that hackers started breaching customer accounts on April 29, 2023, continuing to do so until September 27. The cybercriminals spent five months brute-forcing customer accounts using passwords and email addresses leaked in other breaches (credential stuffing), all without the company detecting what was happening.

Back in December, 23andMe's filing with the Securities and Exchanges Commission revealed that the hackers accessed the personal information of 14,000 people. That's only 0.1% of its customers, but hacking these accounts also allowed the bad actors to access files containing profile information about other users via the site's DNA Relatives, an optional feature that allows some customer data to automatically be shared with others who 23andMe believes may be their relatives.

A total of 6.9 million people, or about half the company's customers, had their data stolen. The pilfered information included name, birth year, profile picture, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.