In Re: 23andme, Inc. Customer Data Security Breach Litigation
Postedabout 1 month agoActive29 days ago
23andmedatasettlement.comNewsstory
informativeneutral
Debate
20/100
Data_exfiltrationLitigationData-Privacy
Key topics
Data_exfiltration
Litigation
Data-Privacy
Discussion Activity
Very active discussionFirst comment
7m
Peak period
39
0-12h
Avg / period
14
Key moments
- 01Story posted
Nov 30, 2025 at 8:54 PM EST
about 1 month ago
Step 01 - 02First comment
Nov 30, 2025 at 9:01 PM EST
7m after posting
Step 02 - 03Peak activity
39 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 5, 2025 at 1:46 PM EST
29 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 46102583Type: storyLast synced: 12/1/2025, 2:10:06 AM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?
(disclosure: I am a member of the class, as is most of my family, no other affiliation)
Precedent is everything, the members of the class who drag down expectations for the rest of us are actively committing harm by denying a resolution to our collective claims. Solidarity is the sole responsibility of a class of people.
Individuals had responsibility when they made these decisions. It is on the courts to make the victims whole, despite the shenanigans around corporate liability limits.
EDIT: I legitimately think that if we _don't_ hold individuals accountable for these sorts of data breaches of the most sensitive data imaginable then there is no sense to legal systems.
EDIT2: Assuming Gemini has any semblance of accurate information, here are some individuals to consider beginning with:
- Anne Wojcicki (Co-Founder, Chair of the Board)
- Andre Fernandez (Independent Director) - Jim Frankola (Independent Director) - Mark Jensen (Independent Director, Lead Independent Director) - Neal Mohan (Past Independent Director) - Roelof Botha (Past Independent Director) - Patrick Chung (Past Independent Director) - Peter J. Taylor (Past Independent Director) - Richard Scheller, Ph. D. (Past Independent Director) - Sandra Hernández, M.D. (Past Independent Director) - Valerie Montgomery Rice, M.D. (Past Independent Director)https://news.ycombinator.com/item?id=38857170
https://news.ycombinator.com/item?id=38857228
https://news.ycombinator.com/item?id=38857476
My favorite reply at that time:
> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)
> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.
This class action and the £2.3M extracted by a UK regulator sure feels like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach. We are building systems, requiring constant tuning and improvement.
Closing the loop on this provides an immutable case study on this topic.
(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should; if you want better behavior, we need better legal tools to go after corporations for this)
You seem to be skilled at over-intellectualizing to the point of losing the plot. I do that with movies, you do that with real life. Why?
Some would say SNP data is more valuable than your posting history. I'm not so sure, since after all 23andMe went bankrupt trying to monetize their data and reddit didn't. It seems possible to me that a post where you say you do X is more useful to advertisers and political propagandists/spies, than a SNP which suggests you're 20% more likely to do X.
It's insane that a company that literally stores DNA data didn't have the most basic defenses against data breaches that would take an intern 15 minutes to read about.
Can people sue Oprah?
Promote or publicise.
A new word to me, and not one I’ll use.
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.
If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.
You should also assume your MegaCorp, if you work for one, has also already seen them (in many cases they can buy them from various data brokers or even off the grey market).
I'm not saying this is the way things should be, just things as I know them to be.
For example, if someone could have their current life become, essentially "redacted", and receive an entirely new one with fairly low barrier of entry, would that be something you would support?
I do agree that once it's out, it's out and you can't really "go back" or have any expectation that what you put out there will somehow magically be "safe", but I think there ought to be a means to hard reset; a burn everything to the ground, and start from square one option.
To head off the inevitable questions of some variation of, "...but what about abuse?" from the croud, I would generally ask:
Abuse to whom? The person who's entire existence is irrevocably captured, documented, data mined, and optimized for malicous intent? Or the random mouth breath8ng schlub who abuses the opportunity to do something nefarious before getting caught and going to prison?
1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).
2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.
3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.
When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.
Technically, you could probably get access to and scrape all that data by uploading fake data, or someone else's. It will do very little useful unless you're into genealogy.
https://techcrunch.com/2023/10/10/23andme-resets-user-passwo...
The hack was yet another failure in a long list under the CEO: Failed execution on the drug development strategy, lying about growth, pushing out the cofounder, never making a profit, FDA warning letters, ditching its genealogy tools, screwing over investors, screwing over the board, and so on.
The company she bankrupted was about to be sold to Regeneron - probably the best option for everyone - when her "nonprofit" swooped in with a high bid.
https://www.medtechdive.com/news/anne-wojcicki-buy-23andme-b...
DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)
23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)
What's frustrating is that even security-conscious users face a massive burden after any breach: changing passwords across dozens or hundreds of accounts. Research shows the average remediation gap after breach disclosure is 94 days - most people simply don't do it because it's too tedious.
We've solved password generation and storage. What's still broken is the actual process of updating passwords at scale when you need to respond to a breach like this one.