23andMe blames users for security breach, says they should have been better at passwords

digital key
(Image credit: Shutterstock)

Genetic testing company 23andMe is blaming its customers for the data breach it suffered in late 2023.

According to TechCrunch, the firm sent a letter to a group of victims, claiming that these users “negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe."

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Shameless

In late December 2023, hackers managed to break into approximately 14,000 23andMe accounts via brute-forcing, which involves trying out millions of username/password combinations, including those obtained from previous breaches elsewhere. However, some of these accounts had opted into the company’s DNA Relatives feature, which gave hackers access to personal data belonging to 6.9 million users. 

Despite the number of victims being in the millions, the company claims the stolen data cannot be abused: “The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature.”

The letter goes on to state: “Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information).”

23andMe refers to some users as plaintiffs as the company is facing more than 30 lawsuits in relation to the breach, TechCrunch claims. One of the lawyers representing the victims told the publication the company’s behavior is “shameless”:

“This finger-pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Hassan Zavareei said in an email.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” Zavareei stated.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
healthcare
Top IVF firm says hackers accessed private data during cyber incident
Someone holding a passport with two boarding passes inside it
Top digital loan firm security slip-up puts data of 36 million users at risk
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
Major breach hits employee screening firm - 3.3 million affected as hackers steal DISA data
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Blood donation firm reveals donor personal data stolen in cyberattack
ID theft
Over a million patients potentially hit after another US healthcare provider hit by cyberattack
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock