23andMe is now blaming users and their recycled passwords for data breach

[Alfonso Maruccia]

A hot potato: In December, 23andMe confirmed a troublesome security breach that affected around 7 million users. Now, the genetic testing firm says that users are responsible for the incident due to password reuse. Obviously, the finger-pointing is not sitting well with those affected.

Customers impacted by the 2023 data breach are suing 23andMe in droves, with more than 30 lawsuits filed, including class actions and mass arbitration claims. In December, the company reported that unknown attackers directly accessed 14,000 user accounts, brute-forcing the account passwords with a technique known as credential stuffing.

Compromising these first accounts gave the cybercriminals deeper access to the 23andMe network via its "DNA Relatives" feature. DNA Relatives is an optional program that allows 23andMe users to automatically share limited personal information with other customers who may be related to them. So, with only a few compromised accounts, the hackers gained access to the personal data of 6.9 million others.

TechCrunch obtained a letter indicating that the personal genomics company is now contacting some data breach victims to tell them they can only have themselves to blame. It claims that the users trying to sue 23andMe used recycled login credentials. Recycling credentials is when someone uses the same login name and password with multiple online websites.

The company maintains that the incident was not a result of its "alleged" failure to maintain reasonable security measures but a matter of hackers gaining reused credentials through third-party websites. Therefore, legal actions against the company are meritless.

Hassan Zavareei, one of the lawyers suing 23andMe, notes that the company is blatantly trying to downplay the seriousness of the incident. Zavareei called 23andMe's finger-pointing attempt "nonsensical" because credential recycling is common enough that it should have contingencies for it. He argues that 23andMe should have implemented more robust security measures, especially considering it stores and manages "personal identifying information," health, and genetic data. Zavareei added that the breach impacted millions because the DNA Relatives feature was insecure, not because users were recycling passwords.

Lawyers for 23andMe further stated that the data "potentially" accessed by the cyber-criminals could not be used for any "pecuniary" harm, as it did not include social security numbers, driver's license numbers, or any payment or financial information.

Permalink to story.

https://www.techspot.com/news/101418-23andme-now-blames-users-their-recycled-passwords-october.html

 

[RudyBob]

This is good for the company I used. Ancestry

 

[m4a4]

**** off 23andMe. Where was the (2 factor) authentication? I've seen more annoying security measures on meme sites that handle no personal data. Millions of users and you can't do the basics?

Here's to hoping the legal system sees through their BS and tanks them like they deserve.

 

[Uncle Al]

So typical, blame the customer .... just another good reason not to use them .... ever!

 

[TrueFalcon]

I'm with 23 and me on this one; I actually use Ancestry but it doesn't matter because all my 319 passwords are virtually impossible to crack. Ancestry did very recently enforce 2FA on all accounts, but I was safe anyway.

I tested an old 32 character password that I deleted after this test:

How Secure Is My Password?
The #1 Password Strength Tool. Trusted and used by millions.
ENTER PASSWORD
~~~ I entered a 32 character password that I haven't used since 2015, I'm not even sure the company still exists.

It would take a computer about
1 duodecillion years
to crack your password

If I used the same password on all my accounts, I'm trusting 319 companies to never be breached. A breach at any one of them would let the hackers into ALL of my accounts. If I was aware of the breach, then I would have to update all my passwords; it would take days to do that and halfway through, what if another one of my accounts had a breach.

Recycling passwords is STUPID and it's your own fault if you get victimized.

Even without 2FA, I'm secure because it's virtually impossible that any one of my 319 passwords has ever been used by someone else, anywhere in the world, at any time.

I'm using KeePass which is offline, not in any cloud. It only sends keystrokes to the browser which has no passwords stored in it. The browser doesn't know where the keystrokes came from so even if it were breached, my passwords are safe. And in case of a breach, I only have to update one password.

 

[whateversa]

Reusing passwords is negligence on the end user's part and now they are trying to blame someone else for their laziness . Today you should expect any service you use to eventually be hacked - no matter who they are or how much effort they put into security. If a service does not offer MFA, then simply don't use them.

 

[mbk34]

Reusing passwords is negligence on the end user's part and now they are trying to blame someone else for their laziness .

I started off thinking this but I think companies also have to defend against stupid users, especially when they're dealing with personal or medical data. It would of been easy to demand 2FA if the user is suddenly logging in from a different IP. Even more so if accesses, or failed accesses, are coming from a single IP (though this is probably easy to spoof). There again, hindsight is always 20/20.