23andMe tells victims it’s their fault that their data was breached

3 Mins read

Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

In other words, by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Zavareei said that 23andMe is “shamelessly” blaming the victims of the data breach.

“This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Zavareei said in an email.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.

In response to 23andMe’s letter, Dante Termohs, a 23andMe customer who was impacted by the data breach, told TechCrunch that he found “it appalling that 23andMe is attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims.

“The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information),” the letter read.

23andMe and one of its lawyers did not respond to TechCrunch’s request for comment.

After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.

In an attempt to pre-empt the inevitable class action lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to band together when filing a legal claim against the company. Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving,” and “a desperate attempt” to protect itself and deter customers from going after the company.

Clearly, the changes didn’t stop what is now a flurry of class action lawsuits.


1409 posts

About author
Harry is a crypto enthusiast and experienced trader with a track record of success. With a deep understanding of blockchain technology, he has analyzed market trends and identified profitable opportunities, resulting in impressive returns. Harry 's expertise lies in developing effective trading strategies that leverage the potential of cryptocurrencies. Through his articles, guides, and educational resources, he shares his insights and knowledge, helping individuals make informed trading decisions. With a keen eye for market patterns, Harry has navigated the volatile crypto landscape with confidence. Stay tuned for valuable perspectives and expert advice from Harry as he contributes to the Ailtra platform.
Related posts

Indonesia's presidential elections pose uncertainty for the thriving cryptocurrency industry

1 Mins read
Indonesia, has emerged as a formidable player in the global cryptocurrency space in recent years. However, the nation’s upcoming general elections in…

Understanding the Cryptocurrency Boom - Dogecoin Climbs Due to X Payment Integration, While Stellar and BNB Also Experience Growth

1 Mins read
The cryptocurrency market has been experiencing notable gains over the past few days. This is led by an unexpected and surprising spike…

Crypto Entrepreneur Charged with Defrauding Investors Out Of $150 Million Through Marketing Scheme

1 Mins read
Federal prosecutors have charged a German businessman with securities fraud, wire fraud and money laundering for allegedly scamming over 150 investors out…

🚀 Ailtra Crypto Bot Earned $8.9M Million in 7 Months with 0% Loss!

🚀 Ailtra generated $7.4 in 7 months only!

Unlock 20-75% Monthly Returns & Get $100 FREE!

Meet Ailtra Bot! Launching on 31st March an AI Crypto Bot boasting 20%-75% monthly gains and $7.5M earnings in 7 months. 💸Secure a FREE $100 bonus and up to $20K potential via referrals every month. 🎉Only 1,000 spots are available in first phase – claim yours fast! 🔥 will not disclose your account information to any 3rd parties.