23andMe tells victims it is their fault that their knowledge was breached

Going through more than 30 lawsuits from victims of its huge knowledge breach, 23andMe is now deflecting the blame to the victims themselves in an try to absolve itself from any accountability, according to a letter sent to a group of victims seen by TechCrunch.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of many legal professionals representing the victims who obtained the letter from 23andMe, instructed TechCrunch in an e mail.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, practically half of all its clients.

The info breach began with hackers accessing solely round 14,000 consumer accounts. The hackers broke into this primary set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a way often known as credential stuffing.

From these 14,000 preliminary victims, nonetheless, the hackers have been capable of then entry the private knowledge of the opposite 6.9 million victims as a result of they’d opted-in to 23andMe’s DNA Relatives characteristic. This elective characteristic permits clients to routinely share a few of their knowledge with people who find themselves thought-about their family members on the platform.

In different phrases, by hacking into solely 14,000 clients’ accounts, the hackers subsequently scraped private knowledge of one other 6.9 million clients whose accounts weren’t straight hacked.

However in a letter despatched to a gaggle of tons of of 23andMe customers who are actually suing the corporate, 23andMe mentioned that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Zavareei mentioned that 23andMe is “shamelessly” blaming the victims of the information breach.

“This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Zavareei mentioned in an e mail.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” mentioned Zavareei.

Contact Us

Do you will have extra details about the 23andMe incident? We’d love to listen to from you. You may contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram, Keybase and Wire @lorenzofb, or e mail [email protected]. You can also contact TechCrunch by way of SecureDrop.

In response to 23andMe’s letter, Dante Termohs, a 23andMe buyer who was impacted by the information breach, instructed TechCrunch that he discovered “it appalling that 23andMe is attempting to hide from consequences instead of helping its customers.”

23andMe’s legal professionals argued that the stolen knowledge can’t be used to inflict financial injury in opposition to the victims.

“The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information),” the letter learn.

23andMe and one in all its legal professionals didn’t reply to TechCrunch’s request for remark.

After disclosing the breach, 23andMe reset all buyer passwords, after which required all customers to use multi-factor authentication, which was solely elective earlier than the breach.

In an try to pre-empt the inevitable class motion lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to band together when submitting a authorized declare in opposition to the corporate. Legal professionals with expertise representing knowledge breach victims instructed TechCrunch that the adjustments have been “cynical,” “self-serving” and “a desperate attempt” to guard itself and deter clients from going after the corporate.

Clearly, the adjustments didn’t cease what’s now a flurry of class action lawsuits.