According to a letter Eltrys saw, 23andMe is now blaming the victims in an effort to clear its name after receiving more than 30 lawsuits from people affected by its significant data breach.
“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, a lawyer representing victims who received the 23andMe letter, told Eltrys in an email.
23andMe confirmed in December that hackers took 6.9 million consumers’ genetic and genealogy data, about half of its clients.
The data leak began with hackers accessing 14,000 user accounts. Credential stuffing: the hackers brute-forced accounts using passwords related to the targeted clients to break into this initial batch of victims.
Because they had opted into 23andMe’s DNA Relatives tool, the hackers were able to acquire the personal data of 6.9 million individuals from these 14,000 original victims. This optional functionality lets clients immediately exchange data with platform relatives.
After compromising 14,000 accounts, the hackers grabbed personal data from 6.9 million more.
However, 23andMe stated in a letter to hundreds of users who are suing the firm that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
The letter states that 23andMe’s purported failure to maintain acceptable security measures did not cause the event.
Zavareei said that 23andMe is “shamelessly” blaming data leak victims.
“This finger-pointing is absurd. 23andMe knew or should have known that many consumers use recycled passwords and should have implemented some of the many safeguards available to protect against credential stuffing, especially since it stores personal identifying information, health information, and genetic information on its platform (Zavareei, email).
Millions of 23andMe customers’ DNA relatives data was exposed in the attack, not because they used repeated passwords. A few thousand accounts were hacked via credential stuffing out of millions. 23andMe’s attempt to blame its customers doesn’t help millions of people whose data was exposed without their fault, said Zavareei.
In reaction to 23andMe’s letter, the data breach victim told Eltrys that he felt “it was appalling that 23andMe is attempting to hide from consequences instead of helping its customers.”
According to 23andMe’s attorneys, the stolen data cannot cause the victims financial harm.
“The potentially accessed information cannot harm. According to the October 6, 2023, blog post, 23andMe’s DNA Relatives function, which customers build and share with other people, may have been accessed. Plaintiffs must consent to sharing such information via DNA relatives. The letter said that the unauthorized actor could not have used plaintiffs’ social security numbers, driver’s license numbers, or payment or banking information to create financial injury.
Eltrys received no response from 23andMe or their lawyer.
After revealing the hack, 23andMe changed all consumer passwords and mandated multi-factor verification, which was previously optional.
To avoid class action lawsuits and mass arbitration claims, 23andMe altered its terms of service to make it harder for plaintiffs to sue collectively. Eltrys said that data breach lawyers called the adjustments “cynical,” “self-serving,” and “a desperate attempt” to prevent consumers from suing the corporation.
Class action lawsuits continue despite the amendments.
