23andMe blames users for security breaches, saying they should have been better at passwords
Genetic testing company 23andMe blames its customers for the data breach it suffered in late 2023.
According to TechCrunchthe company sent a letter to a group of victims, claiming that these users had “negligently recycled and failed to update their passwords after previous security incidents unrelated to 23andMe.”
“The incident was therefore not a result of 23andMe's alleged failure to maintain reasonable security measures,” the letter said.
Shameless
In late December 2023, hackers managed to brute force into approximately 14,000 23andMe accounts, trying millions of username and password combinations, including those obtained in previous breaches elsewhere. However, some of these accounts had signed up for the company's DNA Relatives feature, which gave hackers access to personal data of 6.9 million users.
Despite the number of victims running into the millions, the company claims the stolen data cannot be misused: “The information that may have been accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed was related to the DNA Relatives feature, which a customer creates and chooses to share with other users on the 23andMe platform. Such information would only be available if claimants affirmatively choose to share this information with other users through the DNA Relatives feature.
The letter further states: “Additionally, the information that the unauthorized actor may have obtained about Plaintiffs could not be used to cause monetary damages (the information did not include their Social Security Number, driver's license number, or any payment or financial information). .”
23andMe is referring to some users as plaintiffs as the company faces more than 30 lawsuits related to the breach, TechCrunch claims. One of the lawyers representing the victims told the publication that the company's behavior is “shameless”:
“This finger-pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and that 23andMe therefore should have implemented some of the many security measures available to protect against credential stuffing – especially given that 23andMe collects personally identifiable information, health information, and genetic stores information on its platform. Hassan Zavareei said in an email.
“The breach affected millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords. Of those millions, only a few thousand accounts have been compromised due to credential stuffing. “23andMe’s attempt to avoid responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own,” Zavareei said.