23andMe now blames customers and their recycled passwords for the October statistics breach

A hot potato: In December, 23andMe confirmed a tough security breach that affected round 7 million users. Now, the genetic trying out corporation says that users are accountable for the incident because of password reuse. Obviously, the finger-pointing isn't always sitting nicely with those affected.

Customers impacted via the 2023 records breach are suing 23andMe in droves, with more than 30 proceedings filed, inclusive of elegance actions and mass arbitration claims. In December, the business enterprise said that unknown attackers at once accessed 14,000 consumer debts, brute-forcing the account passwords with a method called credential stuffing.

Compromising these first bills gave the cybercriminals deeper get entry to to the 23andMe community via its "DNA Relatives" characteristic. DNA Relatives is an elective software that allows 23andMe customers to automatically share restricted personal information with different customers who can be related to them. So, with only some compromised accounts, the hackers won get admission to to the personal information of 6.Nine million others.

TechCrunch received a letter indicating that the non-public genomics company is now contacting some information breach sufferers to inform them they can simplest have themselves to blame. It claims that the users seeking to sue 23andMe used recycled login credentials. Recycling credentials is while someone makes use of the identical login call and password with more than one on line websites.

The organization continues that the incident was no longer a result of its "alleged" failure to maintain reasonable safety features but a rely of hackers gaining reused credentials via 1/3-party web sites. Therefore, prison movements in opposition to the corporation are meritless.

Hassan Zavareei, one of the legal professionals suing 23andMe, notes that the company is blatantly looking to downplay the seriousness of the incident. Zavareei known as 23andMe's finger-pointing strive "nonsensical" due to the fact credential recycling is not unusual sufficient that it ought to have contingencies for it. He argues that 23andMe need to have carried out greater strong security features, specifically considering it shops and manages "non-public identifying facts," fitness, and genetic facts. Zavareei brought that the breach impacted millions due to the fact the DNA Relatives function become insecure, no longer because customers have been recycling passwords.

Lawyers for 23andMe further stated that the statistics "doubtlessly" accessed by means of the cyber-criminals could not be used for any "pecuniary" harm, because it did not include social protection numbers, driver's license numbers, or any payment or monetary information.