23andMe logo

23andMe blames “negligent” breach victims, says it’s their own fault

In a surprising move, in a letter to legal representatives of victims of the recent 23andMe data breach, the company has laid the blame at the feet of victims themselves.

23andMe even goes as far as to claim that this wasn’t a data breach at 23andMe at all. The reasoning:

“… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

In other words, it was their own fault since they re-used their passwords for services that were breached in the past. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as “credential stuffing”, and it’s both common and effective. It works because users often use the same password for multiple websites.

What 23andMe seems to have forgotten is that only 14,000 accounts were breached by credential stuffing. Afterwards, the attackers used those accounts to access a much larger trove of data via 23andMe’s feature called DNA Relatives which matches users with their genetic relatives.

So, in what was only made possible by 23andMe, customers who didn’t re-use their passwords and even had 2FA enabled still saw their data stolen. This resulted in the data of as many as seven million 23andMe customers being offered for sale on criminal forums.

We spoke about the breach in our most recent Lock and Code podcast episode. You can listen to that wherever you get your podcasts, or below:

https://open.spotify.com/episode/4ubXicnijYEyCEAAngDY1F?go=1&sp_cid=badd369a49adcfc92e556cb4bdebcb6d&utm_source=embed_player_p&utm_medium=desktop

This is the second time the company has attempted to downplay the incident. In its first communication about the incident, 23andMe claimed the stolen data did not include genomic sequencing data.  Later, the company acknowledged that for a subset of these accounts, the stolen data might indeed contain health-related information based upon the user’s genetics.

The data in a file found by BleepingComputer contained information including 23andMe users’ account IDs, full names, sex, date of birth, DNA profiles, location, and region details.

As a result, at least four class action complaints were submitted in California seeking relief for the damage done by 23andMe’s failure to protect customer data. The lawsuits focus on different failures on 23andMe’s side to guard the safety of sensitive data, communicate appropriately about the incident, and monitor its network for abnormal activity.

In its defense, 23andMe reasons that customers re-used their passwords, gave permission to share data with other users on 23andMe’s platform, and that the medical information was non-substantive.

I put the emphasis on “other users” in order to point out a flaw in 23andMe’s reasoning—agreeing to share with other users is hardly the same as agreeing to share with a data thief. Without knowing the exact details of what happened, we feel that monitoring would indeed have raised alerts about abnormal activity and allowed them to stop the breach earlier. As it seems now, 23andMe only became aware of a problem when someone offered the data up for sale.

Whatever the judges may decide in the end, it’s looking like 23andMe has shown a lot of disregard for its customers’ privacy and the level of sensitivity of the data.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Set up identity monitoring.Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.