Just a month after 23andMe was breached followed by massive criticism and lawsuits, the company wants to avoid charges by all means.
According to a letter sent to the victims, then shared with TechCrunch, it now seems like the company wants to shift blame to the victims whose accounts were compromised.
Hassan Zavareei, an attorney representing the victims, expressed concern that 23andMe is evading responsibility by pointing fingers at its customers instead of acknowledging its role in the data security incident. Last December, 23andMe confirmed a breach where hackers accessed the genetic and ancestry data of 6.9 million users, almost half of its customer base.
The initial breach involved approximately 14,000 user accounts, compromised through credential stuffing—a method where hackers used known passwords associated with targeted customers. Subsequently, by exploiting the DNA Relatives feature, hackers were able to access the personal data of another 6.9 million users who had opted into the platform’s optional data-sharing feature.
In a letter sent to a group of users involved in the lawsuits, 23andMe stated that users were negligent in recycling passwords and not updating them after past security incidents, which the company claims are unrelated to its practices. The letter contends that the data breach was not a result of 23andMe’s failure to maintain reasonable security measures.
Zavareei criticized this response as a “shameless” attempt to blame the victims, emphasizing that 23andMe should have implemented safeguards to protect against credential stuffing, given the sensitive nature of the stored information.
In defense, 23andMe’s lawyers argued that the stolen data couldn’t be used for monetary harm, as it did not include critical information such as social security numbers, driver’s license numbers, or financial details. However, Zavareei countered that millions of consumers were impacted by the DNA Relatives feature, and blaming users does not absolve 23andMe of responsibility.
Following the data breach disclosure, 23andMe made some adjustments and changes. First, they had to reset all customer passwords and make multi-factor authentication mandatory. According to a report from TechCrunch, the company had also adjusted its terms of service in an apparent effort to complicate class action lawsuits. However, the lawyers representing data breach victims deemed the changes as “cynical,” “self-serving,” and a “desperate attempt” to protect the company.