23andMe tells victims it’s their fault that their data was breached
Reading Time: 2 minutesIn December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.
The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.
From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.
In other words, by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.
But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that ‘users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.’
‘Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,’ the letter reads.
Zavareei said that 23andMe is ‘shamelessly’ blaming the victims of the data breach.
‘This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,’ Zavareei said in an email.
‘The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,’ said Zavareei.
23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims.
‘The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information),’ the letter read.
After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.
Clearly, the changes didn’t stop what is now a flurry of class action lawsuits.
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG