23andMe Blames The Victims

Uploaded on 2024-01-05 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

The genomics company, 23andMe, is facing over 30 law suits from victims of its massive data hack and is now telling the victims that it was their problem.  News of the breach first became known last October, when customer data was posted for sale on the Dark Web

It turn out that 23andMe is currently being sued by a numerous individual victims of the attack since the  user accounts of almost 7 million users were compromised by cyber criminals in a major breach .  

In December 2023, 23andMe had said that hackers had stolen genetic and ancestry data from 6.9m users, nearly 50% of its customers.  To date, 23andMe has been unable to identify brute force and credential stuffing access of 14,000 accounts.

The data breach started with hackers accessing about 14,000 user accounts by hitting accounts with customer passwords a technique known as credential stuffing. From these initial victims, hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

By hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

In a letter sent to a group of 23andMe users who are now suing the company, the company said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe... Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Lawyers defending the victims who received the letter from 23andMe, reportedly claim that the company has chosen to downplay the gravity of these events while abandoning its consumers rather than taking responsibility for its part in this data security incident. “This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing, especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” commented Hassan Zavareei, one of the attorneys involved 

According to reports, at least one 23andMe customers is unhappy that the company is "attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims and that after disclosing the breach, all customer passwords were reset and all users and instructed  to use multi-factor authentication, something that was only optional before the breach.

23andMe:     YCombinator:      TechTimes:     Gizmodo:   Techcrunch:    The Verge:    Law.com:

Hassan Zavareei:      Skeptic Society:       Image:  DeepMind

You Might Also Read: 

Cybersecurity Risk Management In The Real World:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« EU Updates Its Cyber Solidarity Act
Winning The Battle Against Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Imperva

Imperva

Imperva is a leading provider of data and application security solutions including DDoS protection, Web application security, Data security and Cloud security.

Mako Group

Mako Group

The Mako Group specializes in protection - providing security through auditing, testing, and assessments. And, we do it all with the highest quality standards possible.

Cristie Data

Cristie Data

Cristie have been a trusted, innovative and leading edge data storage, backup and virtualisation solutions provider across all sectors of industry for over 40 years.

Australian Cyber Security Centre (ACSC)

Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together into a single location.

Guardea Cyberdefense

Guardea Cyberdefense

Guardea Cyberdefense is an IT services company specializing in the management of security projects, with a pool of skills selected from a network of specialized partners.

National Institute of Information and Communications Technology (NICT)

National Institute of Information and Communications Technology (NICT)

NICT is Japan’s sole National Research and Development Agency specializing in the field of information and communications technology.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

BeyondTrust

BeyondTrust

BeyondTrust is a leader in Privileged Access Management, offering a seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access.

ARCON

ARCON

ARCON offers a proprietary unified governance framework, which addresses risk across various technology platforms.

US Coast Guard Cyber Command

US Coast Guard Cyber Command

US Coast Guard Cyber Command’s focus is to ensure the security of our cyberspace, maintain superiority over our adversaries,and safeguard our Nation’s critical maritime infrastructure.

Oleria Security

Oleria Security

Oleria is the only adaptive and autonomous security solution that helps organizations accelerate at the pace of change, trusting that data is protected.

Cyphershield

Cyphershield

Cypershield is a Security and Smart Contract audit company providing professional smart contract auditing services for varied Crypto projects.

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.

Layer 8 Security

Layer 8 Security

Layer 8 Security is a cybersecurity advisory, consulting, and technical services firm that arms businesses with practical compliance, risk management, and security program strategies.

SteelGate

SteelGate

SteelGate’s core capabilities are centered around architecture design and engineering of network, systems, and cybersecurity solutions.