23andMe is further damaging its reputation in an effort to repair the harm caused by the disastrous user data leak. The company is both blaming its frantic consumers for last year’s breach and pretending there was never a severe breach in the first place. The company’s at-home DNA test kits allow users trace their genealogy and genetically encoded health concerns.
When 23andMe revealed that “particular 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the leak became widely known in early October 2023. According to preliminary investigations, hackers were able to guess the credentials of 14,000 user accounts—which contain personal information such as family trees, health forecasts, and genetic information—by using passwords that were most likely compromised during prior cybersecurity events. The perpetrators of the 23andMe hack promptly listed their stolen data for sale, charging between $1 and $10 for each user profile. While the profiles lacked complete genetic tests, they did contain the names, birth years, and ancestry details of the users.
The problem with genetics, though, is that they are essentially social beings. According to a December 23andMe study, threat actors were able to acquire 6.9 million more user accounts through the website’s DNA Relatives and Family Tree feature profiles after breaching the first 14,000 user accounts. These results are being used by 23andMe to defend an assault on the initial targets of its disclosure.
In a letter to a group of clients accusing the business of carelessness and other privacy transgressions, 23andMe attributes hackers’ access to its databases to individuals who used weak passwords. The letter states, “23andMe believes that unauthorized actors were able to access certain user accounts in cases where users recycled their own login credentials—that is, users recycled and failed to update their passwords after these past security incidents, which are unrelated to 23andMe—on 23andMe.com as well as on other websites that had been subject to prior security breaches. “Therefore, 23andMe’s purported inability to maintain appropriate security measures in accordance with the [California Privacy Rights Act] did not cause the incident.”
“If a violation occurred, it has been remediated,” according to 23andMe’s letter. Even though it is likely that at least some customer data is still for sale, the corporation views resetting active logged-in user sessions and advising consumers to install two-factor authentication as comparable to remediation. This is because, according to 23andMe, the stolen data “could not have been used to cause pecuniary harm” because it did not contain any financial or social security information belonging to the victims.
It seems unlikely that the letter will be favorably received in any of the thirty cases pertaining to the 23andMe breach. Attorney Hassan Zavareei for the plaintiffs claimed in an email to TechCrunch that 23andMe had “apparently decided to leave its customers out to dry while downplaying the seriousness” of the breach.