Up against an onslaught of lawsuits, 23andMe is denying liability for millions of users' genetic records leaked last fall.
In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for whatever data might have been exposed.
As was revealed last month, hackers didn't breach the company's internal systems.
Instead, they obtained access to about 14,000 accounts using credential stuffing, then accessed data from nearly seven million more through the site's optional DNA Relatives sharing feature.
23andMe's Rationale The user group suing 23andMe argues that the company violated the California Privacy Rights Act, the California Confidentiality of Medical Information Act, and the Illinois Genetic Information Privacy Act, and committed a number of other common law violations.
23andMe has not necessarily lived up to all of its lofty security promises.
With that said, there were account security features available to customers which might have prevented credential stuffing, including two-step verification with an authenticator app.
Following the company's initial discovery and public notice, it implemented a series of standard security remediations, including notifying law enforcement, terminating all active user sessions, and requiring all users to reset their passwords.
On one hand, users have a laundry list of best practices they can rely on to make account takeover not impossible, but at least very difficult.
At the same time, Moore points out, companies need to exert their own power to protect their customers, with the many tools they have at their disposal.
Beyond offering multi-factor authentication, sites can enforce strong password thresholds, and provide notice to users when logins occur from unusual places or at unusual frequencies.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 05 Jan 2024 21:00:17 +0000