23andMe is reportedly blaming victims of the company's recent data breach incident by sending letters indicating that the users were negligent in not updating their passwords following the incidents.
Fox Business states that it independently confirmed the report finding that in a letter to attorneys representing consumers whose data was compromised, 23andMe said that no breach qualified for protection under the California Privacy Rights Act. This is because the users that were the focus of the first breach used login credentials made public by other websites using a technique known as "credential stuffing."
(Photo : ERIC BARADAT/AFP via Getty Images)
This illustration picture shows a saliva collection kit for DNA testing displayed in Washington DC on December 19, 2018. - Between 2015 and 2018, sales of DNA test kits boomed in the United States and allowed websites to build a critical mass of DNA profiles.
Tech Crunch reports that the company is attempting to deny any responsibility for the incident that saw roughly 6.9 million users' sensitive data, such as genetic and health information, accessed by hackers. Following the data breach, a separate report states that cybercriminals released around one million data points linked to Ashkenazi Jewish users and comparable data related to over 300,000 Chinese users.
The Verge has previously reported that this data breach incident, as per several reports, has resulted in up to 7 million 23andMe accounts in circulation and may be up for sale on the dark web.
23andMe Denying Responsibility
Hassan Zavareei, one of the attorneys defending the victims who got the letter from 23andMe, reportedly claims that the company has chosen to downplay the gravity of these events while abandoning its consumers rather than taking responsibility for its part in this data security incident.
Thus, the letter states that 23andMe's supposed inability to maintain appropriate security measures has no bearing on the data breach incident. Zavareei, following the letters, says that 23andMe is "shamelessly" blaming the data leak victims.
Following the incident, 23andMe has reportedly increased its security measures by mandating the usage of two-factor authentication for all new and current users; 23andme likewise changed users' security measures by asking all of its customers to update their passwords.
Ancestral Data Breach
Tech Crunch explains that hackers could only access about 14,000 user accounts at the beginning of the data breach. Using a method known as credential stuffing, the hackers gained access to this initial group of victims by brute-forcing passwords that were known to be connected to the intended clients.
However, because the other 6.9 million victims had opted-in to 23andMe's DNA Relatives tool, the hackers could obtain their personal information from the original 14,000 victims. Customers can reportedly choose to have some of their data automatically shared with users on the network who are deemed to be their relatives.
The company confirmed the data breach incident last December 2023, wherein Tech Times reported that 23andMe has confirmed that 6.9 million customers' data was exposed due to a recent security compromise. The company's representative, Andy Kill, reportedly stated that the incident affected around 5.5 million customers who had turned on the DNA Relatives function.
23andMe is a genetic testing company that gives customers a "comprehensive ancestry breakdown" through DNA tests, supposedly for health analysis explicitly made for the user.
Related Article: DNA Testing Companies Adopt 2-Factor Authentication in Response to 23andMe Data Breach
