(RepublicanNews.org) – 23andMe, a company focused on genetic testing and genealogical research, is currently dealing with a class action lawsuit after suffering a major data breach that exposed users’ data, which the company is blaming on its customers who chose to recycle passwords for their website.
In a response letter to the lawyers representing some of the customers whose data was compromised, the company claimed that no breach happened under California Privacy Rights Act provisions because the users who were targeted used old login credentials previously exposed to breaches on other websites. According to the letter, this tactic is called “credential stuffing.”
The incident was first revealed last year in October and 23andMe immediately took the position that “unauthorized actors” were able to “access certain user accounts” from those who “recycled their own login credentials” on the DNA firm’s website that were also used “on other websites” which experienced previous security breaches. The company called the decision by users negligent and claims their failure “to update their passwords” after past breaches “unrelated to 23andMe” is their own fault.
Roughly 14,000 users’ accounts were accessed in the initial incident, which hackers then used to access data from up to 6.9 million other users, including 5.5 profiles of DNA relatives and family trees linked to those accounts. The company confirmed in December that it has up to 14 million profiles registered in its DNA database.
Hassan Zavareei, one of the attorneys representing customers affected by the breach, said in a statement that 23andMe is apparently deciding to throw its customers under the bus and downplay “the seriousness” of the events “rather than acknowledge its role” in the “security disaster.” Zavareei also noted that “millions of consumers” were impacted by the breach “through the DNA Relatives feature” on the company’s platform, and that none of those users “used recycled passwords.”
Since the incident, 23andMe has updated security protocols to include a two-factor authentication system for new and existing customers. They also made all existing users reset their passwords.
Copyright 2024, RepublicanNews.org