In a statement sent to TechCrunch, DNA testing firm 23andMe has argued that the victims are responsible for the breach of highly sensitive genomics data on its systems. The company accused users whose accounts were accessed of “negligently” recycling and failing to update their passwords, leading to a credential stuffing campaign by attackers. 23andMe claimed the incident was not a result of their alleged failure to maintain security measures under the California Privacy Rights Act.
The breach, which occurred in October 2023, resulted in the unauthorized access of nearly 7 million customers’ information, including files containing details about some users’ genealogy. The hackers initially accessed around 14,000 user accounts using the credential stuffing campaign, and then expanded to accessing the personal data of 6.9 million users who had opted into 23andMe’s DNA Relatives feature. 23andMe claimed that the victims had elected to share their information with other users by opting into the feature, and that the information accessed by the attackers could not be used to cause financial harm.
In response to the lawsuit filing, 23andMe has added new security measures to protect user accounts, including requiring a password reset on all user accounts and implementing two-factor authentication. However, industry experts have criticized the company’s assertion that the victims are to blame for the breach. Cybersecurity experts argue that while users have an obligation to follow best practices, companies also have a duty to protect the sensitive information entrusted to them. Additionally, they argue that the affected genealogy and relationship information could be highly useful to attackers in developing targeted social engineering campaigns.
Experts emphasize that attributing the entirety of blame to users oversimplifies the complex landscape of cybersecurity. Instead, there is a shared responsibility between users and companies to protect sensitive data.