Facing more than 30 lawsuits from the victims of the massive data breach, 23andMe is now deflecting blame onto the victims themselves in an attempt to absolve itself of any responsibility; according to a letter sent to a victims’ group seen by TechCrunch.
“Instead of acknowledging its role in this data security disaster, 23andMe apparently decided to hang its customers out to dry by downplaying the seriousness of these events,” said Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe. TechCrunch in an email.
In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of its customers.
The data breach started with the hackers accessing only about 14,000 user accounts. Hackers broke into this first set of victims by brute forcing accounts with passwords known to be associated with the targeted customers, a technique known as credential stuffing.
Of those initial 14,000 victims, however, the hackers were then able to gain access to the personal data of another 6.9 million victims because they had opted in to 23andMe’s DNA congeners feature. This optional feature allows customers to automatically share some of their data with people they consider related to them on the platform.
In other words, by breaking into the accounts of only 14,000 customers, the hackers then breached the personal data of another 6.9 million customers whose accounts were not directly compromised.
But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said “users negligently recycled and failed to update their passwords after these previous security incidents, which are unrelated with 23andMe.”
“Therefore, the incident was not the result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter states.
Zavareei said 23andMe is “shamelessly” blaming victims of the data breach.
“That finger is stupid. 23andMe knew or should have known that many consumers use recycled passwords, and therefore 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal information identification, health information and genetic information on its platform. Zavarei said in an email.
“The breach affected millions of consumers whose data was exposed through the DNA Relatives feature on the 23andMe platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to avoid responsibility by blaming its customers does nothing for the millions of consumers whose data was breached through no fault of their own,” Zavareei said.
Contact us
Do you have more information about the 23andMe incident? We would love to hear from you. Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
In response to 23andMe’s letter, Dante Termohs, a 23andMe customer affected by the data breach, told TechCrunch that he found it “terrifying that 23andMe is trying to hide from the consequences instead of helping its customers.”
Lawyers for 23andMe argued that the stolen data cannot be used to cause financial harm to the victims.
“The potentially accessed information cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed is related to the DNA Relatives feature that a customer creates and chooses to share with other users on the 23andMe platform. Such information would only be available if claimants positively choose to share that information with other users through the DNA Relatives feature. Furthermore, the information potentially obtained by the unauthorized actor about the plaintiffs could not have been used to cause property damage (it did not include the social security number, driver’s license number, or any payment or financing information),” the letter said .
23andMe and one of its lawyers did not respond to TechCrunch’s request for comment.
After the breach was disclosed, 23andMe reset all customer passwords and then required all customers to use multi-factor authentication, which was only optional before the breach.
In an effort to pre-empt the inevitable class-action lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to join together when filing a legal claim against the company. Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving” and “a desperate attempt” to protect and prevent customers from going after the company.
Clearly, the changes didn’t stop what is now an upheaval class actions.
