Consumer genetics and research company 23andMe is facing multiple lawsuits over a 2023 data breach that went undetected for 5 months, and official reaction from company officials places the blame on poor user password practices.
The company, known for its at-home genetic tests, has confirmed hackers gained access to nearly 7 million customers’ profiles in 2023, some of which revealed detailed, sensitive reports on users’ health. The company revealed details on the exact types of data stolen in a January data breach notification letter sent to California’s attorney general.
The company is facing more than 30 lawsuits over the October breach and has publicly stated that the blame points to user error as many users recycled passwords. A Google survey found that at least 65% of people reuse passwords across multiple, if not all, sites. In a letter sent to some individuals, the company said that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.”
This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” which involves accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.
One of the biggest lawsuits, filed in San Francisco in January, accused the company of failing to notify customers with Chinese and Ashkenazi Jewish heritage that they appeared to have been specifically targeted, or that their personal genetic information had been compiled into “specially curated lists” that were shared and sold on the dark web.
As reported by TechCrunch, the company learned about the breach on October 1, when a hacker posted on an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as proof.
“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”
A strong password is essential when it comes to online security and preventing identity theft and other cybercriminal activity. Consumers can practice smart password safety measures to avoid breaches and possible identity theft. Here are a few tips:
- Using a password manager program
- Avoid common words and character combinations in your password
- Don’t recycle passwords
- Use two-factor authentication
Enfortra has re-imagined identity protection by providing the largest array of products and services found anywhere. And our new PII removal product, MyPrivacy360, removes personal information from the web.
