DNA testing firm doubles down on blaming victims and sics lawyer on them.
Millions of 23andMe users had their personal information stolen last year.
Apparently, it's not the firm's responsibility-it's the users' own fault that a distant relative had a bad password.
As a reminder: In October, 23andMe said the breach only affected a few users; in November, it grew to 17,000; and December's official tally was 6.9 million.
The hackers broke into this first set of victims by [using] passwords that were known to be associated with the targeted customers-a technique known as credential stuffing.
From these 14,000 initial victims the hackers were able to then access the personal data of the other 6.9 million [via] 23andMe's DNA Relatives feature, [which] allows customers to automatically share some of their data.
By recycling passwords, the company means the common, but inadvisable, practice of using one password for multiple online accounts.
The company is facing multiple lawsuits over the data breach that collectively allege it has failed to protect users.
23andMe denies this allegation [but] since the breach, 23andMe has instituted a two-step authentication process as the default.
Our firm represents 23andMe, Inc. Each of the claims is without merit, and we urge you to consider the futility of continuing to pursue an action in this case.23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials and users negligently recycled and failed to update their passwords following past security incidents.
23andMe failed to identify brute force and credential stuffing access of 14,000 accounts.
They also have a feature that grants those 14k compromised accounts effective access to 6.9 million accounts.
23andMe then claims that poor password practices are responsible for this data leak.
I've not run security at an org of their size, nor have I touched their service, but I have to imagine there were some patterns to this breach that would have been reasonable to account for ahead of time.
If your overall security is compromised by users not changing passwords, you don't have security.
Blaming an 80 year old grandma for reusing a password is ridiculous.
It's believable that 14k people got their account accessed from reusing passwords.
The users share responsibility by trusting this scummy company.
Does not lessen the responsibility of 23andMe in any way though.
Congratulations 23andMe, your genealogical heritage is as follows:80% Incapable of Admitting Fault8% Victim Blaming5% Petty4% Whiny3% Neanderthal.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 04 Jan 2024 15:13:04 +0000