Going through greater than 30 lawsuits from victims of its huge data breach, 23andMe is now deflecting the blame to the victims themselves in an try and absolve itself from any accountability, in keeping with a letter despatched to a gaggle of victims seen by information.killnetswitch.
“Relatively than acknowledge its function on this knowledge security catastrophe, 23andMe has apparently determined to go away its clients out to dry whereas downplaying the seriousness of those occasions,” Hassan Zavareei, one of many attorneys representing the victims who acquired the letter from 23andMe, instructed information.killnetswitch in an e mail.
In December, 23andMe admitted that hackers had stolen the genetic and ancestry knowledge of 6.9 million customers, almost half of all its clients.
The data breach began with hackers accessing solely round 14,000 person accounts. The hackers broke into this primary set of victims by brute-forcing accounts with passwords that had been identified to be related to the focused clients, a way referred to as credential stuffing.
From these 14,000 preliminary victims, nevertheless, the hackers had been capable of then entry the non-public knowledge of the opposite 6.9 million million victims as a result of that they had opted-in to 23andMe’s DNA Kinfolk characteristic. This optionally available characteristic permits clients to mechanically share a few of their knowledge with people who find themselves thought of their family on the platform.
In different phrases, by hacking into solely 14,000 clients’ accounts, the hackers subsequently scraped private knowledge of one other 6.9 million clients whose accounts weren’t immediately hacked.
However in a letter despatched to a gaggle of tons of of 23andMe customers who at the moment are suing the corporate, 23andMe stated that “customers negligently recycled and didn’t replace their passwords following these previous security incidents, that are unrelated to 23andMe.”
“Due to this fact, the incident was not a results of 23andMe’s alleged failure to keep up affordable security measures,” the letter reads.
Zavareei stated that 23andMe is “shamelessly” blaming the victims of the data breach.
“The breach impacted tens of millions of customers whose knowledge was uncovered by the DNA Kinfolk characteristic on 23andMe’s platform, not as a result of they used recycled passwords. Of these tens of millions, just a few thousand accounts had been compromised attributable to credential stuffing. 23andMe’s try and shirk accountability by blaming its clients does nothing for these tens of millions of customers whose knowledge was compromised by no fault of their very own in any respect,” stated Zavareei.
Contact Us
Do you may have extra details about the 23andMe incident? We’d love to listen to from you. You may contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram, Keybase and Wire @lorenzofb, or e mail lorenzo@techcrunch.com. You can also contact information.killnetswitch by way of SecureDrop.
In response to 23andMe’s letter, Dante Termohs, a 23andMe buyer who was impacted by the data breach, instructed information.killnetswitch that he discovered “it appalling that 23andMe is making an attempt to cover from penalties as a substitute of serving to its clients.”
23andMe’s attorneys argued that the stolen knowledge can’t be used to inflict financial injury in opposition to the victims.
“The data that was doubtlessly accessed can’t be used for any hurt. As defined within the October 6, 2023 weblog publish, the profile data which will have been accessed associated to the DNA Kinfolk characteristic, which a buyer creates and chooses to share with different customers on 23andMe’s platform. Such data would solely be out there if plaintiffs affirmatively elected to share this data with different customers by way of the DNA Kinfolk characteristic. Moreover, the knowledge that the unauthorized actor doubtlessly obtained about plaintiffs couldn’t have been used to trigger pecuniary hurt (it didn’t embody their social security quantity, driver’s license quantity, or any fee or monetary data),” the letter learn.
23andMe and considered one of its attorneys didn’t reply to information.killnetswitch’s request for remark.
After disclosing the breach, 23andMe reset all buyer passwords, after which required all clients to make use of multi-factor authentication, which was solely optionally available earlier than the breach.
In an try and pre-empt the inevitable class motion lawsuits and mass arbitration claims, 23andMe modified its phrases of service to make it harder for victims to band collectively when submitting a authorized declare in opposition to the corporate. Attorneys with expertise representing data breach victims instructed information.killnetswitch that the modifications had been “cynical,” “self-serving,” and “a determined try” to guard itself and deter clients from going after the corporate.
Clearly, the modifications didn’t cease what’s now a flurry of sophistication motion lawsuits.
