In a lawsuit stemming from a data breach, DNA service provider 23andMe has drawn sharp criticism for its response letter, in which it attempts to pin the blame on the affected customers.
In October 2023, 23andMe, the popular DNA testing company based in Mountain View, California, experienced a data breach. During this incident, hackers exposed the personal information of more than 7 million customers.
Additionally, another hacker attempted to sell genetic records of 23andMe users for $100,000 for a bundle of 100,000 profiles. The information taken by the hackers in the data breach included the following details:
- Birth years
- Some DNA data
- Ancestry reports
- Self-reported locations
- Predicted relationships
- Most recent login dates
- Relationship labels (e.g., “mother,” “cousin”)
- Health-related information based on genetic profiles
- Percentage of DNA shared with DNA Relatives matches
As a consequence of the data breach, 23andMe is facing a lawsuit. In a letter filed in the Circuit Court of Cook County, the company attributed the data breach to customers themselves, contending that the breach occurred because users reused their login credentials.
Specifically, the company claims, users employed the same usernames and passwords on 23andMe as on other websites that had experienced previous security breaches. According to 23andMe, this practice and users’ failure to update their passwords after these incidents were unrelated to any security lapses on 23andMe’s part.
The letter also claims that threat actors could not have caused “pecuniary harm” as it lacked Personal Identifiable Information (PII) data, such as social security number, driver’s license number, or any payment or financial information.
“… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.” “Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been set to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information).”23andMe
It is worth noting that initially, 23andMe claimed only 14,000 accounts were directly compromised, stating the hackers used “credential stuffing“, meaning stolen login credentials from other websites were used to access 23andMe accounts. This led some to criticize the company for suggesting user negligence played a role in the breach.
However, further investigation revealed the attackers accessed information from a much larger number of profiles: 5.5 million DNA Relatives profiles and 1.4 million Family Tree profiles connected to the compromised accounts. While 23andMe still maintains the initial breach involved 14,000 accounts, this broader access to information fueled criticism that the company downplayed the severity of the incident.
It’s important to note that relying solely on passwords is considered a security vulnerability. This is why many experts advocate for two-factor authentication (2FA) as an additional layer of security. Interestingly, 23andMe introduced mandatory 2FA for all users after the breach, suggesting they acknowledged the password-only system wasn’t sufficient.
For insights into 23andMe’s claims, we reached out to Nick Rago, Field CTO at Salt Security, who emphasised that, “In this age of sophisticated social engineering attacks, any claim that a data breach can not cause “pecuniary harm” because it did not consist of social security numbers, driver’s license number, or credit card data has to be done tongue in cheek.”
Nick countered 23andMe’s version of things explaining hackers do not require PII data to harm unsuspecting users, especially with the emergence of deepfake and AI technologies. Nick also warned that revealing genealogy or relationship details can aid attackers in constructing targeted social engineering attacks on both small and large scales.
“Exposing any genealogy or relationship information would be quite useful to an attacker when building a targeted social engineering attack, whether it be targeted at scamming a consumer, stealing an identity, or as a phase of a more sophisticated attack campaign, such as getting privileged system access in a corporate infrastructure,” said Nick.
Erfan Shadabi, Cybersecurity Expert at comforte AG, told Hackread.com, “Attributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity. While it is true that users must follow best practices for account safety, companies also must protect the sensitive information that has been entrusted to them. It is admirable that 23andMe has taken the recent step of requiring two-factor authentication (2FA) to strengthen defences against credential-stuffing attacks.”