{"id":23627,"date":"2024-01-13T12:25:27","date_gmt":"2024-01-13T20:25:27","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17357\/"},"modified":"2024-01-13T12:25:27","modified_gmt":"2024-01-13T20:25:27","slug":"news-17357","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17357\/","title":{"rendered":"23andMe blames “negligent” breach victims, says it\u2019s their own fault"},"content":{"rendered":"\n

In a surprising move, in a letter to legal representatives of victims<\/a> of the recent 23andMe data breach<\/a>, the company has laid the blame at the feet of victims themselves.<\/p>\n

23andMe even goes as far as to claim that this wasn\u2019t a data breach at 23andMe at all. The reasoning:<\/p>\n

\n

\u201c… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials\u2014that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.\u201d<\/p>\n<\/blockquote>\n

In other words, it was their own fault since they re-used their passwords for services that were breached in the past. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as \u201ccredential stuffing\u201d, and it\u2019s both common and effective. It works because users often use the same password for multiple websites.<\/p>\n

What 23andMe seems to have forgotten is that only 14,000 accounts were breached by credential stuffing. Afterwards, the attackers used those accounts to access a much larger trove of data via 23andMe’s feature called DNA Relatives which matches users with their genetic relatives.<\/p>\n

So, in what was only made possible by 23andMe, customers who didn\u2019t re-use their passwords and even had 2FA<\/a> enabled still saw their data stolen. This resulted in the data of as many as seven million 23andMe customers being offered for sale on criminal forums. <\/p>\n

We spoke about the breach in our most recent Lock and Code podcast episode. You can listen to that wherever you get your podcasts, or below:<\/p>\n

\n
https:\/\/open.spotify.com\/episode\/4ubXicnijYEyCEAAngDY1F?go=1&sp_cid=badd369a49adcfc92e556cb4bdebcb6d&utm_source=embed_player_p&utm_medium=desktop <\/div>\n<\/figure>\n

This is the second time the company has attempted to downplay the incident. In its first communication about the incident, 23andMe claimed the stolen data did not include genomic sequencing data.\u00a0 Later, the company acknowledged that for a subset of these accounts, the stolen data might indeed contain health-related information based upon the user\u2019s genetics.<\/p>\n

The data in a file found by BleepingComputer<\/a> contained information including 23andMe users’ account IDs, full names, sex, date of birth, DNA profiles, location, and region details.<\/p>\n

As a result, at least four class action complaints were submitted in California seeking relief for the damage done by 23andMe’s failure to protect customer data. The lawsuits focus on different failures on 23andMe\u2019s side to guard the safety of sensitive data, communicate appropriately about the incident, and monitor its network for abnormal activity.<\/p>\n

In its defense, 23andMe reasons that customers re-used their passwords, gave permission to share data with other users<\/strong> on 23andMe\u2019s platform, and that the medical information was non-substantive.<\/p>\n

I put the emphasis on “other users” in order to point out a flaw in 23andMe\u2019s reasoning\u2014agreeing to share with other users is hardly the same as agreeing to share with a data thief. Without knowing the exact details of what happened, we feel that monitoring would indeed have raised alerts about abnormal activity and allowed them to stop the breach earlier. As it seems now, 23andMe only became aware of a problem when someone offered the data up for sale.<\/p>\n

Whatever the judges may decide in the end, it’s looking like 23andMe has shown a lot of disregard for its customers’ privacy and the level of sensitivity of the data.<\/p>\n

Data breach<\/h3>\n

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach<\/a>.<\/p>\n