CyberSecurityBoard
Sponsor Register Login

23andMe Blames User "Negligence" for Data Breach

DNA testing firm 23andMe has argued the victims are responsible for the breach of highly sensitive genomics data on its systems last year.
The DNA testing firm argued this allowed the attackers to launch a credential stuffing campaign using usernames and passwords accessed in separate breaches.
In the incident, which took place in October 2023, nearly 7 million customers' information was accessed, including a significant number of files containing information about some users' genealogy, such as ethnicity and ancestry.
The hackers initially accessed around 14,000 user accounts via the credential stuffing campaign.
They then used this information to access the personal data of 6.9 million users who had opted into 23andMe's DNA Relatives feature, in which customers automatically share some of their data with people who are considered their relatives on the platform.
23andMe claimed in the letter that there was also no case as the victims had elected to share their information with other users by opting into the DNA Relatives feature.
In the lawsuit filing, Bacus v 23andMe, Inc., the plaintiff alleges the DNA testing firm did not take reasonable measures to secure user accounts, which resulted in the breach.
Since the incident, 23andMe confirmed it has added new security measures to protect user accounts.
This includes ending all active logged-in user accounts, requiring a password reset on all user accounts and requiring all customers to use two factor authentication.
Industry experts quickly criticized 23andMe's assertion that the victims were to blame for the breach.
Erfan Shadabi, Cybersecurity Expert at comforte AG, commented that while users do have an obligation to follow best practices in areas like password management, companies also have a duty to protect the sensitive information that has been entrusted to them, such as enforcing 2FA policies.
Nick Rago, Field CTO at Salt Security, said that 23andMe's argument that the breach cannot cause financial harm because it did not include information like credit card details is completely outdated.
He noted that exposing any genealogy or relationship information would be highly useful to an attacker in developing a targeted social engineering campaign to scam a consumer, steal an identity or gain privileged system access in a corporate infrastructure.
Examples of recent breaches that were rooted with a successful targeted social engineering campaign include those that affected JumpCloud, MGM and Caesars.


This Cyber News was published on www.infosecurity-magazine.com. Publication date: Fri, 05 Jan 2024 10:45:22 +0000


Cyber News related to 23andMe Blames User "Negligence" for Data Breach

23andMe failed to detect mega-breach attackers for 5 months The Register - Biotech and DNA-collection biz 23andMe, the one that blamed its own customers for the October mega-breach, just admitted it failed to detect any malicious activity for the entire five months attackers were breaking into user accounts. In a collection ...
8 months ago Go.theregister.com
DNA testing: What happens if your genetic data is hacked? - The personal information of millions of people who sent swabs of their DNA to consumer testing services have been leaked in high profile hacks in recent years, leading to questions about how secure that genetic data is. In autumn 2023, a hacker ...
7 months ago Packetstormsecurity.com
23andMe Faces Legal Backlash Over Data Breach and Blames Victims - Facing a deluge of more than 30 lawsuits from individuals impacted by a substantial data breach, genomics company 23andMe has taken a defensive stance by placing responsibility on the victims themselves. The breach came to light in October when ...
8 months ago Cysecurity.news
Hacker leaks millions of new 23andMe genetic data profiles - A hacker has leaked an additional 4.1 million stolen 23andMe genetic data profiles for people in Great Britain and Germany on a hacking forum. Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe ...
9 months ago Bleepingcomputer.com
23andMe: It's YOUR Fault We Lost Your Data - DNA testing firm doubles down on blaming victims and sics lawyer on them. Millions of 23andMe users had their personal information stolen last year. Apparently, it's not the firm's responsibility-it's the users' own fault that a distant relative had ...
8 months ago Securityboulevard.com
23andMe Blames User "Negligence" for Data Breach - DNA testing firm 23andMe has argued the victims are responsible for the breach of highly sensitive genomics data on its systems last year. The DNA testing firm argued this allowed the attackers to launch a credential stuffing campaign using usernames ...
8 months ago Infosecurity-magazine.com
Tech Security Year in Review - In this Tech Security Year in Review for 2023, let's look into the top data breaches of the past year. Each factor contributes to the growing threatscape, demanding a proactive and adaptable cybersecurity approach to safeguard your organization ...
8 months ago Securityboulevard.com
23andMe confirms nearly 7 million customers affected in data leak - Nearly 7 million 23andMe customers had their profile data leaked in a cybersecurity incident in October, a company spokesperson confirmed to SC Media on Monday. The vast majority of the leaked data was scraped from the site's DNA Relatives feature ...
9 months ago Packetstormsecurity.com
Data Breach Response: A Step-by-Step Guide - In today's interconnected world, organizations must be prepared to respond swiftly and effectively in the face of a data breach. To navigate these challenges, a well-defined and comprehensive data breach response plan is essential. Let's explore the ...
7 months ago Securityzap.com
Infosec experts divided over 23andMe's breach blame game The Register - 23andMe users' godawful password practices were supposedly to blame for the biotech company's October data disaster, according to its legal reps. Nope, the biotech firm's infrastructure management was certainly not at fault in any way when 6.9 ...
8 months ago Go.theregister.com
23andMe says, er, actually some genetic and health data might have been accessed in recent breach - In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company. Now, a filing with the US Securities and Exchange Commission has provided ...
9 months ago Malwarebytes.com
23andMe: Data Breach Was a Credential-Stuffing Attack - DNA testing company 23andMe has released further details surrounding an October data breach, where user profile information had been accessed and downloaded at the hands of a threat actor. On Oct. 1, a threat actor made a post on the Dark Web ...
9 months ago Darkreading.com
23andMe Is On The Ventilator. Its CEO Remains 'Hopeful' - The Silicon Valley and Wall Street golden kid 23andMe was the DNA testing firm just three years ago. The company is currently in risk of being delisted from the Nasdaq. CEO of 23andMe Anne Wojcicki tells CNN that Wall Street shouldn't write her off ...
7 months ago Cysecurity.news
23andMe told victims of data breach that suing is futile, letter shows - Last year, hackers accessed 14,000 accounts on 23andMe by using passwords that had been previously breached during security incidents on other websites. By using this tactic, known as credential stuffing, hackers could access the personal data of ...
8 months ago Packetstormsecurity.com
23andMe updates user agreement to prevent data breach lawsuits - In October, a threat actor attempted to sell 23andMe customer data and, after failing to do so, leaked the data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom. 23andMe told BleepingComputer that the data was obtained ...
9 months ago Bleepingcomputer.com
23andMe responds to breach with new suit-limiting user terms The Register - Security in brief The saga of 23andMe's mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts. In an update on ...
9 months ago Go.theregister.com
How Can DSPM Prevent High-Profile Breaches? - In early October 2023, a DNA testing company for ancestry discovery purposes, 23andMe, disclosed that it suffered a data breach. On the 5th of December 2023, the company shared that the data breach was more damaging than was initially reported. On ...
9 months ago Gbhackers.com
23andMe Says Hackers Saw Data From Millions of Users - Personal genetics firm 23andMe on Tuesday confirmed that hackers using stolen passwords accessed the personal information about 6.9 million of its members. While the hackers were only able to get into about 14,000 accounts, or 0.1 percent of its ...
9 months ago Securityweek.com
Goto Customers Backup Data Breach: Protect Your Business and Handle Data Breach Risks - A data breach at Goto customers exposed their backup data to malicious actors, leading to a data breach that impacted those customers. Businesses need to be aware of the risks associated with data breaches and how to protect their organisations from ...
1 year ago Securityaffairs.com
Welltok data breach exposes data of 8.5 million US patients - Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack. Welltok works with health service ...
9 months ago Bleepingcomputer.com
How Can Data Breach Be A Trouble For Your Industry? - To navigate an era of cyber risks, this unsettling reality necessitates a renewed focus on data integrity protection and digital asset protection. In this blog, we will discuss a data breach in the Hospitality industry. Some of the companies like MGM ...
8 months ago Securityboulevard.com
23andMe - 23andMe is a revolutionary service that analyzes your DNA and provides insights into your health, ancestry, and traits. This saliva-based DNA service offers personalized reports on your ancestry, family history, traits, and more. With one of the ...
9 months ago
23andMe: "Negligent" Users at Fault for Breach of 6.9M Records - Up against an onslaught of lawsuits, 23andMe is denying liability for millions of users' genetic records leaked last fall. In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid ...
8 months ago Darkreading.com
Pharmacy provider Truepill data breach hits 2.3 million customers - Postmeds, doing business as 'Truepill,' is sending notifications of a data breach informing recipients that threat actors accessed their sensitive personal information. Truepill is a B2B-focused pharmacy platform that uses APIs for order fulfillment ...
9 months ago Bleepingcomputer.com
AvidXchange Notifies Consumers of Data Breach Following Period of Unauthorized Access - On October 13, 2023, AvidXchange, Inc. filed a notice of data breach with the Attorney General of Massachusetts after discovering that a recent cybersecurity event resulted in an unauthorized party being able to access the company's IT network. In ...
9 months ago Jdsupra.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)