Biotech and DNA-collection biz 23andMe, the one that blamed its own customers for the October mega-breach, just admitted it failed to detect any malicious activity for the entire five months attackers were breaking into user accounts.
In a collection of data breach notifications filed with California’s attorney general Rob Bonta, 23andMe revealed attackers were using credential stuffing techniques between April 29 and September 27, 2023.
It also said the malicious activity was only detected in October after seeing a Reddit post related to the sale of the data, rather than interal security tooling picking up on the mess.
