The company disclosed the full scope of the breach in an updated blog post on Dec. 5, after the completion of an internal review assisted by “third-party forensics experts.” By that time, according to Eli Wade-Scott, a lawyer for the plaintiffs, users’ personal genetic information and other sensitive material had been made available and offered for sale on the dark web for two months.

23andMe did not immediately respond to requests for comment about the lawsuit.

Jay Edelson, another lawyer representing the plaintiffs, said 23andMe’s approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.