The genealogy company 23andMe took to the offensive against hundreds of customers who have filed lawsuits following a massive data breach announced in December 2023.
The company has taken the unusual step of accusing its customers of being responsible for the breach that resulted in hackers gaining access to data of 6.9 million users.
In a letter sent to users who have filed lawsuits, the company states, “Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.
A lawyer representing some of the affected customers told TechCrunch that the move by 23andMe to blame its customers for the breach is “nonsensical.”
“23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing,” attorney Hassan Zavareei said in an email to TechCrunch.
Credential stuffing is a method hackers use to gain access to accounts by using login credentials and passwords known to the hackers. From the initial attack, hackers gained access to 14,000 accounts.
The breach then exploded when the hackers used the DNA Relatives feature to connect people who may share lineage. This gave access to 6.9 million accounts, including genetic and ancestry data.
23andMe has further attempted to downplay the seriousness of the data breach by claiming users would not be harmed financially by the stolen data.
“The information that was potentially accessed cannot be used for any harm,” the letter to customers reads. “The information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information).”
Following the data breach, 23andMe reset all users’ passwords and changed its terms of service to prevent future lawsuits from happening in the event of additional data breaches; a move lawyers describe as a “cynical, self-serving, and a desperate attempt to protect itself.”