Genetic testing company 23andMe is facing a class action lawsuit alleging that users' data was accessed without their permission. The breach was allegedly caused by a customer who used a recycled password as login credentials for her account on the home DNA company's website.
In a letter responding to lawyers representing customers whose data was breached, 23andMe said that the users targeted in the original breach were unable to use login credentials exposed in breaches involving other websites. As such, there was no violation under the California Privacy Rights Act. This tactic is called “credential stuffing.” The letter was first reported by TechCrunch and independently confirmed by FOX Business.
The company reiterated its position when first disclosing the incident in October, saying it has “noted any instances where a user has reused their login credentials, i.e. the user has used the same username and password that was previously used. In the example we used, an unauthorized attacker was able to gain access to a specific user account.” 23andMe.com, like other websites that have been victims of security breaches before, has also been linked to users inadvertently recycling or not updating their passwords after these past security incidents. However, this has nothing to do with his 23and Me. ”
The first incident targeted approximately 14,000 accounts of 23andMe users, and hackers used these accounts to access data of 6.9 million users. From his 14,000 accounts that were initially compromised, the hacker accessed information in approximately 5.5 million DNA kinship profiles and approximately 1.4 million genealogy trait profiles associated with the compromised accounts.
The company announced in December that it had 14 million customer profiles at the time.
23andMe did not immediately respond to a request for comment.
“Instead of acknowledging its role in this security disaster, 23andMe is denying the seriousness of these events,” Hassan Zavary, a lawyer representing victims who are filing a class action lawsuit against 23andMe, said in a statement. It appears that the company has decided to neglect its customers and leave its customers alone.” Provided to FOX Business.
He added: “This breach affected millions of consumers whose data was exposed through the DNA relatives feature on the 23andMe platform. do not have Because they were using recycled passwords. ”
“Of those millions of accounts, only a few thousand have been compromised through credential stuffing,” Zavary added. “23andMe's attempt to avoid responsibility by blaming its customers does nothing to help the millions of consumers whose data was breached through no fault of their own.”
Following the breach, hackers posted nearly 1 million data points related to Ashkenazi Jewish users and similar data related to more than 300,000 users of Chinese descent.
23andMe also took steps to change its security protocols for its users by requiring all new and existing users to use two-factor authentication and instructing all customers to reset their passwords.
The company's shares fell more than 8% in late afternoon trading Wednesday.
