23andMe tells victims it’s their fault that their data was breached

Coping with more than 30 lawsuits from victims of its large information breach, 23andMe is now deflecting the blame to the victims themselves in an try to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch.

“Barely than acknowledge its place on this data security disaster, 23andMe has apparently decided to go away its prospects out to dry whereas downplaying the seriousness of these events,” Hassan Zavareei, one in every of many authorized professionals representing the victims who acquired the letter from 23andMe, knowledgeable TechCrunch in an e-mail.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, virtually half of all its prospects.

The information breach started with hackers accessing solely spherical 14,000 particular person accounts. The hackers broke into this main set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique commonly known as credential stuffing.

From these 14,000 preliminary victims, nonetheless, the hackers had been able to then entry the personal information of the other 6.9 million million victims because of they’d opted-in to 23andMe’s DNA Relatives attribute. This non-compulsory attribute permits prospects to mechanically share a number of of their information with individuals who discover themselves considered their household on the platform.

In several phrases, by hacking into solely 14,000 prospects’ accounts, the hackers subsequently scraped personal information of 1 different 6.9 million prospects whose accounts weren’t instantly hacked.

Nonetheless in a letter despatched to a gaggle of a complete lot of 23andMe prospects who in the mean time are suing the company, 23andMe talked about that “prospects negligently recycled and didn’t change their passwords following these earlier security incidents, which might be unrelated to 23andMe.”

“Attributable to this reality, the incident was not a outcomes of 23andMe’s alleged failure to maintain inexpensive security measures,” the letter reads.

Zavareei talked about that 23andMe is “shamelessly” blaming the victims of the information breach.

“This finger pointing is nonsensical. 23andMe knew or should have recognized that many patrons use recycled passwords and thus that 23andMe should have utilized among the many many safeguards accessible to protect in the direction of credential stuffing — significantly considering that 23andMe outlets personal determining information, properly being information, and genetic information on its platform,” Zavareei talked about in an e-mail.

“The breach impacted tens of thousands and thousands of customers whose information was uncovered by the use of the DNA Household attribute on 23andMe’s platform, not because of they used recycled passwords. Of those tens of thousands and thousands, only a few thousand accounts had been compromised as a consequence of credential stuffing. 23andMe’s try to shirk responsibility by blaming its prospects does nothing for these tens of thousands and thousands of customers whose information was compromised by the use of no fault of their very personal by any means,” talked about Zavareei.

Contact Us

Do you will have further particulars in regards to the 23andMe incident? We’d like to take heed to from you. It’s possible you’ll contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or by the use of Telegram, Keybase and Wire @lorenzofb, or e-mail lorenzo@techcrunch.com. You may as well contact TechCrunch by the use of SecureDrop.

In response to 23andMe’s letter, Dante Termohs, a 23andMe purchaser, knowledgeable TechCrunch that he found “it appalling that 23andMe is trying to cowl from penalties instead of serving to its prospects.”

23andMe’s authorized professionals argued that the stolen information can’t be used to inflict monetary damage in the direction of the victims.

“The information that was doubtlessly accessed can’t be used for any harm. As outlined inside the October 6, 2023 weblog publish, the profile information which could have been accessed related to the DNA Household attribute, which a purchaser creates and chooses to share with totally different prospects on 23andMe’s platform. Such information would solely be accessible if plaintiffs affirmatively elected to share this information with totally different prospects by the use of the DNA Household attribute. Furthermore, the information that the unauthorized actor doubtlessly obtained about plaintiffs couldn’t have been used to set off pecuniary harm (it didn’t embody their social security amount, driver’s license amount, or any charge or financial information),” the letter be taught.

23andMe and regarded one in every of its authorized professionals didn’t reply to TechCrunch’s request for comment.

After disclosing the breach, 23andMe reset all purchaser passwords, after which required all customers to use multi-factor authentication, which was solely non-compulsory sooner than the breach.

In an try to pre-empt the inevitable class movement lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to band together when submitting a approved declare in the direction of the company. Authorized professionals with experience representing information breach victims knowledgeable TechCrunch that the changes had been “cynical,” “self-serving,” and “a decided attempt” to protect itself and deter prospects from going after the company.

Clearly, the changes didn’t stop what’s now a flurry of class action lawsuits.