23andMe Blames Victims for Information Hack

John Lister's picture

DNA and ancestry site 23andMe has told victims of a major hack that it's their fault for not using unique passwords. The claim came in a letter aimed deterring victims from proceeding with a class action case.

The site admitted last month that almost 7 million customers have been affected by a data breach. Hackers directly accessed personal data including DNA information of about 14,000 people. However, they were able to get some personal data of another 6.9 million people that enabled a feature to share information with potential relatives.

Unsurprisingly, this led to legal action from customers who felt 23andMe had failed to adequately secure their data.

'Customers Responsible' For Reused Password

The company has now written to one of the lawyers representing plaintiffs in one of the cases. In a stark response, one of its reasons for rejecting the case is that it claims that "No Breach Occurred." That's because it believes the initial access by unauthorized actors was in cases "... where users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches ... and failed to update their passwords following these past security incidents, which are unrelated to 23andMe." (Source: techcrunch.com)

Password Insufficient

The lawyer says that's an inadequate response because the site should have taken additional steps to protect accounts other than relying solely on passwords, particularly given the sensitive nature of information provided by customers. (Source: arstechnica.com)

This could include using two factor authentication if customers (or hackers) were attempting to log in from somewhere other than their usual location. It could also mean blocking automated credential stuffing, where hackers use a list of stolen details from one site to attempt to login to accounts on other sites. It should be possible to block or limit a hacker's attempts to try thousands of different login attempts in succession.

The password point is also not relevant to the people whose accounts were not directly breached but whose personal data was exposed indirectly. Any legal case on that point would likely center on what damage that exposure did (or could) cause, and whether customers were fully informed of potential risk before signing up to the sharing feature.

What's Your Opinion?

Does 23andMe have a point? Is a single password enough to reliably secure an account or should sites take extra measures? Should sites which handle sensitive data such as DNA be held to higher security standards?

Rate this article: 
Average: 5 (5 votes)


Chief's picture

They have a great point.
Just like hiding out a set of keys to your house where they can be found.
It may be illegal to trespass, but since when did that stop a criminal?
And are they criminals if they have keys?

Same idea.
Safeguard your passwords.
Use two-factor authentication.

Common sense and accepting responsibility go a long ways.

eric's picture

"would've" = would have

"would of" = way, way, way far outside correct grammar. Those two words don't go together at all.

But yeah, if the breach was not directly in 23andMe systems, but was all from reused passwords, then that is on the users. And if those user account breaches shared or received info with other user profiles, that's also on the user for reusing the same password.

However, the plaintiffs do have a point about login attempt restrictions. That's standard practice for most companies.

As for the "you should have required MFA" bit, if the option is there and the users chose not to implement it, that's also on them. But if there is not an MFA option on the site, then that's shame on the site. (I've never been to that site, so idk what options they have)

The great vast majority of users are careless and insecure online. They reuse the same password for everything. They can't be bothered with MFA. Those things are mostly laziness, with some room for ignorance as well or instead. But it's 2024. There's a new hack/breach in the news every week. How many headlines can they ignore before they have no excuse for not better protecting their accounts?

Hell, even a 30yr IT pro like me gets lazy. One of my accounts got hacked last week. I had just been procrastinating about fixing the MFA setup. (sometimes trigger, sometimes not) And I had a relatively weak password.
When I did get the "unusual login" alert, I didn't get mad at the company hosting the account. I knew it was my fault for the weak pswd and procrastinating about MFA settings. Luckily, I was able to change my password to something a lot stronger as soon as I got the alert. (and went ahead and fixed the MFA settings lol)