23andMe blames users for security breach, says they should have been better at passwords

Users were using simple passwords, so they must be to blame, 23andMe says

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Genetic testing company 23andMe is blaming its customers for thedata breach it sufferedin late 2023.

According toTechCrunch, the firm sent a letter to a group of victims, claiming that these users “negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe."

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Shameless

Shameless

In late December 2023, hackers managed tobreak into approximately 14,000 23andMe accountsvia brute-forcing, which involves trying out millions of username/password combinations, including those obtained from previous breaches elsewhere. However, some of these accounts had opted into the company’s DNA Relatives feature, which gave hackers access to personaldatabelonging to 6.9 million users.

Despite the number of victims being in the millions, the company claims the stolen data cannot be abused: “The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature.”

The letter goes on to state: “Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information).”

23andMe refers to some users as plaintiffs as the company is facing more than 30 lawsuits in relation to the breach, TechCrunch claims. One of the lawyers representing the victims told the publication the company’s behavior is “shameless”:

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“This finger-pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Hassan Zavareei said in an email.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” Zavareei stated.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Sonos Arc Ultra review: the best one-box Dolby Atmos soundbar for the price, with one grating flaw