In a recently obtained December letter, 23andMe denied being at fault for last year's massive data security breach and instead shifted the blame to users who “recycled” their passwords. tech crunch.
of letterThe letter, sent by the law firm representing 23andMe to the user group suing the company, states that “no infringement has occurred.”
“As stated in 23andMe's October 6, 2023 blog post, 23andMe will provide you with the same information if you reuse your login credentials, i.e., if you reuse your login credentials. We believe that an unauthorized attacker was able to access certain user accounts when using the same username and password. 23andMe.com Similar to other websites that have been victims of security breaches before, users have carelessly reused and not updated their passwords after these past security incidents, but this is unrelated to 23andMe. ” the letter claims.
23andMe's law firm further asserted that the company did not violate the California Privacy Rights Act, the California Medical Information Confidentiality Act, the Illinois Genetic Information Privacy Act, or any other law.
”[T]His case was not due to 23andMe's failure to maintain reasonable security measures under the CPRA,” it added.
23andMe claimed that “even if there was a breach,” the company subsequently took steps to protect its users. After notifying law enforcement about the “unauthorized access,” in October it ended all active sessions and required users to perform a password reset to log back into their accounts. In November, the company Two-step verification required This previously only optional process is intended as an “additional layer of protection.”
“Equally important, any information that may be accessed cannot be used for any harm,” the letter asserts.
At 23andMe's blog post Addressing data security concerns, the company said the hackers accessed the DNA Relatives profile, a feature on its website that includes information such as display names, predicted relationships, genetic matches and percentage of shared DNA. did. Users must opt-in to share this information with genetic relatives, the company said. For users who did not enable this feature, the attackers did not have access to this information, the blog post explains.
Hassan Zavary, one of the lawyers representing victims' groups, told TechCrunch that 23andMe is “shamelessly” blaming its users.
“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers alone while downplaying the seriousness of these events,” Zavary said.
“This finger-pointing is nonsense,” Zavari continued. “23andMe knew or should have known that many consumers were using reused passwords, and in particular 23andMe did not store personally identifiable information, health information, and genetic information on its platform. Given that we are storing credential stuffing, we needed to implement some of the many safeguards available to protect against credential stuffing.”
The breach affected 6.9 million 23andMe accounts, nearly half of the company's users. TechCrunch reported that 23andMe is facing more than 30 lawsuits due to the incident.
The hackers initially gained access to 14,000 user accounts using a cyber attack technique known as credential stuffing. In this technique, threat actors attempt to access other websites using login information stolen from previous data breaches. Brute force attacks assume that a user is applying the same credentials to multiple online accounts.
After hacking into these accounts, hackers were able to access the data of millions of 23andMe users who had opted in to the website's DNA relatives feature, TechCrunch reported.
“This breach was not caused by the use of recycled passwords, but rather affected millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform. out of millions of accounts, only a few thousand accounts were compromised through credential stuffing, trying to circumvent 23andMe's efforts.” Blaming the customer doesn't help the millions of consumers whose data has been compromised through no fault of their own. ”
Neither 23andMe nor its legal team responded to requests for comment, TechCrunch reported.
Do you like Blaze News? Avoid censorship and sign up for our newsletter to get articles like this delivered straight to your inbox. Please register here!
