Dealing with more than 30 lawsuits from victims of its large information breach, 23andMe is now deflecting the blame to the victims themselves in an try and absolve itself from any duty, according to a letter sent to a group of victims seen by TechCrunch.
“Fairly than acknowledge its function on this information safety catastrophe, 23andMe has apparently determined to go away its prospects out to dry whereas downplaying the seriousness of those occasions,” Hassan Zavareei, one of many attorneys representing the victims who acquired the letter from 23andMe, advised TechCrunch in an electronic mail.
In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, almost half of all its prospects.
The info breach began with hackers accessing solely round 14,000 person accounts. The hackers broke into this primary set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a way often known as credential stuffing.
From these 14,000 preliminary victims, nevertheless, the hackers have been in a position to then entry the private information of the opposite 6.9 million million victims as a result of that they had opted-in to 23andMe’s DNA Relatives function. This non-compulsory function permits prospects to robotically share a few of their information with people who find themselves thought-about their family on the platform.
In different phrases, by hacking into solely 14,000 prospects’ accounts, the hackers subsequently scraped private information of one other 6.9 million prospects whose accounts weren’t instantly hacked.
However in a letter despatched to a gaggle of tons of of 23andMe customers who at the moment are suing the corporate, 23andMe stated that “customers negligently recycled and didn’t replace their passwords following these previous safety incidents, that are unrelated to 23andMe.”
“Due to this fact, the incident was not a results of 23andMe’s alleged failure to take care of cheap safety measures,” the letter reads.
Zavareei stated that 23andMe is “shamelessly” blaming the victims of the info breach.
“This finger pointing is nonsensical. 23andMe knew or ought to have identified that many customers use recycled passwords and thus that 23andMe ought to have carried out a number of the many safeguards accessible to guard towards credential stuffing — particularly contemplating that 23andMe shops private figuring out info, well being info, and genetic info on its platform,” Zavareei stated in an electronic mail.
“The breach impacted thousands and thousands of customers whose information was uncovered by means of the DNA Kin function on 23andMe’s platform, not as a result of they used recycled passwords. Of these thousands and thousands, only some thousand accounts have been compromised as a result of credential stuffing. 23andMe’s try and shirk duty by blaming its prospects does nothing for these thousands and thousands of customers whose information was compromised by means of no fault of their very own in any way,” stated Zavareei.
Contact Us
Do you’ve gotten extra details about the 23andMe incident? We’d love to listen to from you. You’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Telegram, Keybase and Wire @lorenzofb, or electronic mail lorenzo@techcrunch.com. You can also contact TechCrunch through SecureDrop.
In response to 23andMe’s letter, Dante Termohs, a 23andMe buyer who was impacted by the info breach, advised TechCrunch that he discovered “it appalling that 23andMe is trying to cover from penalties as a substitute of serving to its prospects.”
23andMe’s attorneys argued that the stolen information can’t be used to inflict financial injury towards the victims.
“The knowledge that was probably accessed can’t be used for any hurt. As defined within the October 6, 2023 weblog submit, the profile info which will have been accessed associated to the DNA Kin function, which a buyer creates and chooses to share with different customers on 23andMe’s platform. Such info would solely be accessible if plaintiffs affirmatively elected to share this info with different customers through the DNA Kin function. Moreover, the data that the unauthorized actor probably obtained about plaintiffs couldn’t have been used to trigger pecuniary hurt (it didn’t embody their social safety quantity, driver’s license quantity, or any cost or monetary info),” the letter learn.
23andMe and considered one of its attorneys didn’t reply to TechCrunch’s request for remark.
After disclosing the breach, 23andMe reset all buyer passwords, after which required all customers to use multi-factor authentication, which was solely non-compulsory earlier than the breach.
In an try and pre-empt the inevitable class motion lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to band together when submitting a authorized declare towards the corporate. Legal professionals with expertise representing information breach victims advised TechCrunch that the modifications have been “cynical,” “self-serving,” and “a determined try” to guard itself and deter prospects from going after the corporate.
Clearly, the modifications didn’t cease what’s now a flurry of class action lawsuits.
At this time Information High Newsmaac