23andMe users' godawful password practices were supposedly to blame for the biotech company's October data disaster, according to its legal reps.
Nope, the biotech firm's infrastructure management was certainly not at fault in any way when 6.9 million users had their data compromised after some 14,000 accounts were broken into via credential stuffing.
Users recycling credentials compromised in separate, unrelated breaches has been pinpointed by 23andMe as the main reason why a boatload of data ended up in the hands of cybercriminals.
The lack of mandatory 2/MFA or checks for compromised credentials used on the site, for example, is not cited as a significant influence.
The claims were made in a letter [PDF] sent to the lawyers representing customers behind a lawsuit against 23andMe, alleging violations against the California Privacy Rights Act, the California Confidentiality of Medical Information Act, the Illinois Genetic Information Privacy Act, and various common laws.
Hassan Zavareei, one of the lawyers representing the plaintiffs in the case, said the company is neglecting customers and downplaying the seriousness of the incident.
The blog post referenced in the letter, last updated on December 5, differs very little from the wording of the company's lawyers, making all the same points, just without playing the blame game so directly.
There is no reference to user negligence or failure in the blog, and its most recent update is concluded with a list of the additional measures the company has implemented to protect users from attacks in the future.
In the infosec industry, experts appear to be divided on the matter, although the majority opposed the stance of 23andMe.
Prior to the data breach in October, 23andMe did not mandate the use of 2FA, but said it has supported authenticator app-based 2FA since 2019.
Many others opposed the company's stance, including Rachel Tobac, CEO at SocialProof Security and member of CISA's Technical Advisory Council, who said the implementation of tools to check whether credentials have been compromised would be an effective countermeasure.
The average internet user is unlikely to be aware of the different tools available to check the safety of their reused credentials, relying on the platforms they engage with to alert them in the same way they typically do for weak passwords during the sign-up phase.
Arguably, even fewer may be aware of the full consequences of reusing compromised credentials, or what a credential stuffing attack is, even if they had been made aware they were previously compromised.
The recommendation to implement the HaveIBeenPwned API was one many commentators echoed, and 2FA not being the default setting was another prominent criticism.
Not all industry pros were aligned in their thinking, though.
The Register approached 23andMe for comment but it did not respond.
This Cyber News was published on go.theregister.com. Publication date: Thu, 04 Jan 2024 18:43:03 +0000