23andMe Blames The Victims

Uploaded on 2024-01-05 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

The genomics company, 23andMe, is facing over 30 law suits from victims of its massive data hack and is now telling the victims that it was their problem.  News of the breach first became known last October, when customer data was posted for sale on the Dark Web

It turn out that 23andMe is currently being sued by a numerous individual victims of the attack since the  user accounts of almost 7 million users were compromised by cyber criminals in a major breach .  

In December 2023, 23andMe had said that hackers had stolen genetic and ancestry data from 6.9m users, nearly 50% of its customers.  To date, 23andMe has been unable to identify brute force and credential stuffing access of 14,000 accounts.

The data breach started with hackers accessing about 14,000 user accounts by hitting accounts with customer passwords a technique known as credential stuffing. From these initial victims, hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

By hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

In a letter sent to a group of 23andMe users who are now suing the company, the company said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe... Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Lawyers defending the victims who received the letter from 23andMe, reportedly claim that the company has chosen to downplay the gravity of these events while abandoning its consumers rather than taking responsibility for its part in this data security incident. “This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing, especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” commented Hassan Zavareei, one of the attorneys involved 

According to reports, at least one 23andMe customers is unhappy that the company is "attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims and that after disclosing the breach, all customer passwords were reset and all users and instructed  to use multi-factor authentication, something that was only optional before the breach.

23andMe:     YCombinator:      TechTimes:     Gizmodo:   Techcrunch:    The Verge:    Law.com:

Hassan Zavareei:      Skeptic Society:       Image:  DeepMind

You Might Also Read: 

Cybersecurity Risk Management In The Real World:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« EU Updates Its Cyber Solidarity Act
Winning The Battle Against Ransomware »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

ITrust

ITrust

French cybersecurity pure player since 2007. ITrust offers its Cyber expertise services and develops disruptive products in Cyber/Artificial Intelligence.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

NJVC

NJVC

NJVC delivers IT automation, optimization and security to empower mission-enabling IT for customers with secure requirements.

GAVS Technologies

GAVS Technologies

GAVS is a global IT services provider with focus on AI-led Managed Services and Digital Transformation.

ACSG Corp

ACSG Corp

ACSG Corp is a Critical Infrastructure Protection Company with a multi-disciplinary focus on building analytics software for various industry sectors.

Auvik Networks

Auvik Networks

Auvik is easy-to-use cloud-based networking management and monitoring software - true network visibility and control without the hassle.

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL) is the largest integrated Information Communication Technology (ICT) company of Pakistan.

V3 Cybersecurity

V3 Cybersecurity

V3 Cybersecurity is a unique company focused on contextualization of security programs from a business perspective. Our mission is to provide enterprise IT Risk Management capabilities.

Protega

Protega

Protega is a company specialized in Managed Cybersecurity Services (MSS) & SOC 24×7; management, risk & compliance (GRC); implementation of data protection technologies; and Red Team services.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.

Compugen Systems Inc (CSI)

Compugen Systems Inc (CSI)

Compugen Systems is an IT service delivery company that focuses on enabling your business outcomes.

Southern Cyber

Southern Cyber

At Southern Cyber, our mission is to deliver world-class information security solutions that align businesses with leading security frameworks and compliance standards.

Operant Networks

Operant Networks

Operant Networks mission is to provide Operational Technology (OT) teams with solutions that simplify their increasingly complex worlds.

Platview Technologies

Platview Technologies

Platview Technologies is an innovative and agile cybersecurity company with the goal of safe-guarding businesses with our world-class, industry-leading services and technology solutions.

Western Balkans Cyber Capacity Centre (WB3C)

Western Balkans Cyber Capacity Centre (WB3C)

WB3C is a programme founded by France, Slovenia and Montenegro with the mission of building a secure and connected Western Balkans region through enhancing its cyber capabilities and resilience.