Image: © JHVEPhoto/Stock.adobe.com
Responding to claims that it broke US privacy laws, the company said the hack occurred because users ‘negligently recycled and failed to update their passwords’.
Genetics company 23andMe is attempting to wash its hands of any blame for a data breach that impacted roughly half of its customers.
The breach dates back to October 2023, when an unauthorised threat actor accessed a number of accounts to get data from millions of profiles, according to the company.
23andMe is facing lawsuits because of the breach. These lawsuits claim that the company breached certain US privacy laws.
In response, the company claims no security breach occurred under the rules of the California Privacy Rights Act (CPRA) and attributed the issue to customers that reused exposed passwords, according to a letter shared by TechCrunch.
“Users used the same usernames and passwords that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” company representatives said in the letter.
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”
23andMe said it implemented a change in November 2023 that requires all customers to use two-step verification as an “added layer of protection”, but claimed that users have had the option to use this form of authentication since 2019.
TechCrunch reports that an unauthorised threat actor managed to breach 14,000 accounts by attempting to log in with associated passwords. From these breached accounts, the hacker was able to access the information of 6.9m users – roughly half of 23andMe’s customer base.
23andMe said the stolen data relates to a user’s ancestry which they would have chosen to share when opting in to 23andMe’s DNA Relatives feature. The company said that this information “cannot be used for any harm” – though earlier reports suggest the data was being sold on hacker forums.
“The information that the unauthorised actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s licence number or any payment or financial information),” 23andMe said.
Hassan Zavareei, a lawyer representing the breach victims who received the letter from 23andMe, described the action as finger pointing. The lawyer told TechCrunch that 23andMe “knew or should have known that many consumers use recycled passwords” and that it should have implemented safeguards to prevent the incident.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
