23andMe blames victims for data breach, claiming users 'recycled' passwords

23andMe denied fault for last year's massive data security breach and instead shifted blame to its users who "recycled" their passwords, according to a December letter recently obtained by TechCrunch.

The letter, sent by a legal firm representing 23andMe to a group of users suing the company, states that "no breach occurred."

"As set forth in 23andMe's October 6, 2023 blog post, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe," the letter claimed.

23andMe's legal firm further contended that the company did not violate the California Privacy Rights Act, the California Confidentiality of Medical Information Act, the Illinois Genetic Information Privacy Act, or any other laws.

"[T]he incident was not a result of 23andMe's alleged failure to maintain reasonable security measures under the CPRA," it added.

23andMe claimed that even "if a violation occurred," the company has since taken steps to protect its users. After informing law enforcement about the "unauthorized access," it ended all active sessions in October, requiring users to perform a password reset to log back into their accounts. In November, the company also set up a required 2-step verification process, which was only optional before, for "an added layer of protection."

"Equally important, the information that was potentially accessed cannot be used for any harm," the letter claimed.

In 23andMe's blog post addressing the data security concerns, the company explained that the hackers accessed DNA Relatives profiles, a feature of its website that includes information such as display names, predicted relationships, and percentage of DNA shared with genetic matches. Users must opt-in to share this information with their genetic relatives, the company noted. Threat actors would not have been able to access this information for users who did not enable the feature, the blog post explained.

Hassan Zavareei, one of the lawyers representing the group of victims, told TechCrunch that 23andMe is "shamelessly" blaming the users.

"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Zavareei said.

"This finger pointing is nonsensical," Zavareei continued. "23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform."

The security breach impacted 6.9 million 23andMe accounts, almost half the company's users. TechCrunch reported that 23andMe is facing more than 30 lawsuits due to the incident.

Hackers initially gained access to 14,000 user accounts by using a cyberattack method known as credential stuffing, where threat actors use stolen login information from previous data breaches to attempt to access other websites. The brute force attacks assume users apply the same credentials to multiple online accounts.

After breaching those accounts, hackers were able to access the data of millions of 23andMe users who had opted-in to the website's DNA Relatives feature, TechCrunch reported.

Zavareei explained, "The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever."

Neither 23andMe nor its legal team responded to a request for comment, TechCrunch reported.

Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!