23andMe is now blaming users and their recycled passwords for data breach

A hot potato: In December, 23andMe confirmed a troublesome security breach that affected around 7 million users. Now, the genetic testing firm says that users are responsible for the incident due to password reuse. Obviously, the finger-pointing is not sitting well with those affected.

Customers impacted by the 2023 data breach are suing 23andMe in droves, with more than 30 lawsuits filed, including class actions and mass arbitration claims. In December, the company reported that unknown attackers directly accessed 14,000 user accounts, brute-forcing the account passwords with a technique known as credential stuffing.

Compromising these first accounts gave the cybercriminals deeper access to the 23andMe network via its "DNA Relatives" feature. DNA Relatives is an optional program that allows 23andMe users to automatically share limited personal information with other customers who may be related to them. So, with only a few compromised accounts, the hackers gained access to the personal data of 6.9 million others.

TechCrunch obtained a letter indicating that the personal genomics company is now contacting some data breach victims to tell them they can only have themselves to blame. It claims that the users trying to sue 23andMe used recycled login credentials. Recycling credentials is when someone uses the same login name and password with multiple online websites.

The company maintains that the incident was not a result of its "alleged" failure to maintain reasonable security measures but a matter of hackers gaining reused credentials through third-party websites. Therefore, legal actions against the company are meritless.

Hassan Zavareei, one of the lawyers suing 23andMe, notes that the company is blatantly trying to downplay the seriousness of the incident. Zavareei called 23andMe's finger-pointing attempt "nonsensical" because credential recycling is common enough that it should have contingencies for it. He argues that 23andMe should have implemented more robust security measures, especially considering it stores and manages "personal identifying information," health, and genetic data. Zavareei added that the breach impacted millions because the DNA Relatives feature was insecure, not because users were recycling passwords.

Lawyers for 23andMe further stated that the data "potentially" accessed by the cyber-criminals could not be used for any "pecuniary" harm, as it did not include social security numbers, driver's license numbers, or any payment or financial information.