23andMe Shifts Blame To Users For Data Breach

In a letter obtained by TechCrunch, a legal firm representing 23andMe has refuted responsibility for the extensive data security breach that occurred last year. Instead, the letter asserts that the company denies any breach, attributing the issue to users who allegedly “recycled” their passwords.

The letter reads, “As set forth in 23andMe’s October 6, 2023 blog post, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

The legal representatives of 23andMe asserted that the company did not breach the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act, the Illinois Genetic Information Privacy Act or any other applicable laws.

They said, “The incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

23andMe asserted that, even in the event of a potential violation, the company has implemented measures to safeguard its users. Following the report of “unauthorized access” to law enforcement, all active sessions were terminated in October, necessitating users to undergo a password reset for account access. Additionally, in November, the company introduced a mandatory 2-step verification process, previously optional, aiming to provide users with an extra layer of security.

In a blog post addressing data security concerns, 23andMe clarified that the hackers targeted DNA relatives profiles, a feature on its website containing details like display names, predicted relationships and the percentage of shared DNA with genetic matches. The company highlighted that users must actively choose to share this information with their genetic relatives. According to the blog post, individuals who did not enable this feature would not have had their information accessed by hackers.

Hassan Zavareei, one of the attorneys representing the group of victims, conveyed to TechCrunch that 23andMe is unapologetically shifting the blame onto the users.

Zavareei stated, “Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events.”

He continued, “This finger-pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords, and thus that, 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information and genetic information on its platform.”

The data security breach affected 6.9 million 23andMe accounts, nearly half of the company’s user base. TechCrunch has reported that 23andMe is currently facing over 30 lawsuits related to this incident.

Initially, hackers gained entry to 14,000 user accounts. Following the compromise of these accounts, hackers were able to access the data of millions of 23andMe users who had chosen to participate in the website’s DNA relatives feature.