23andMe Blames The Victims

Uploaded on 2024-01-05 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

The genomics company, 23andMe, is facing over 30 law suits from victims of its massive data hack and is now telling the victims that it was their problem.  News of the breach first became known last October, when customer data was posted for sale on the Dark Web

It turn out that 23andMe is currently being sued by a numerous individual victims of the attack since the  user accounts of almost 7 million users were compromised by cyber criminals in a major breach .  

In December 2023, 23andMe had said that hackers had stolen genetic and ancestry data from 6.9m users, nearly 50% of its customers.  To date, 23andMe has been unable to identify brute force and credential stuffing access of 14,000 accounts.

The data breach started with hackers accessing about 14,000 user accounts by hitting accounts with customer passwords a technique known as credential stuffing. From these initial victims, hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

By hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

In a letter sent to a group of 23andMe users who are now suing the company, the company said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe... Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Lawyers defending the victims who received the letter from 23andMe, reportedly claim that the company has chosen to downplay the gravity of these events while abandoning its consumers rather than taking responsibility for its part in this data security incident. “This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing, especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” commented Hassan Zavareei, one of the attorneys involved 

According to reports, at least one 23andMe customers is unhappy that the company is "attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims and that after disclosing the breach, all customer passwords were reset and all users and instructed  to use multi-factor authentication, something that was only optional before the breach.

23andMe:     YCombinator:      TechTimes:     Gizmodo:   Techcrunch:    The Verge:    Law.com:

Hassan Zavareei:      Skeptic Society:       Image:  DeepMind

You Might Also Read: 

Cybersecurity Risk Management In The Real World:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« EU Updates Its Cyber Solidarity Act
Winning The Battle Against Ransomware »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Associates (CSA)

Cyber Security Associates (CSA)

Cyber Security Associates provides cyber consultancy and cyber managed services which help to detect, protect and educate against the ever-changing cyber threat.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

ThreatSTOP

ThreatSTOP

ThreatSTOP is a cloud-based automated threat intelligence platform that converts the latest threat data into enforcement policies to stop attacks before they become breaches.

Romanian Association for Information Security Assurance (RAISA)

Romanian Association for Information Security Assurance (RAISA)

RAISA promotes and supports information security activities and creates a community for the exchange of knowledge between specialists, academic and corporate environment in Romania.

Drootoo

Drootoo

Drootoo is transforming businesses and making them high performing entities with its unified cloud platform.

Kinnami Software

Kinnami Software

Kinnami is a data security company that equips organizations with the tools they need to secure and protect highly confidential documents and data.

Motorola Solutions

Motorola Solutions

Motorola Solutions build mission-critical services, software, video and analytics, backed by secure, resilient land mobile radio communications.

Aigner Business Solutions

Aigner Business Solutions

Aigner Business Solutions GmbH is a specialist in IT-Security and Data Protection. Concise and focussed.

TotalAV

TotalAV

TotalAV Antivirus is a free-to-use app packed with all the essential features to find and remove malware, keeping you safe.

TokenEx

TokenEx

TokenEx Cloud Security Platform protects sensitive data to strengthen our clients' security postures while future-proofing their operations.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

Siometrix

Siometrix

Siometrix addresses digital identity fraud. It steals your attacker's time and prevents many prevalent attack vectors.

ReachOut Technology

ReachOut Technology

ReachOut is a transformative approach to IT Security, Support, and Guidance. But we’re more than that. We’re passionate IT experts driven to make solutions to your problems.

ARGOS Cloud Security

ARGOS Cloud Security

ARGOS aims to simplify and strengthen cloud security, by creating a visual map of security vulnerabilities, to your priceless information stored in any cloud provider environment.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.

NST Cyber

NST Cyber

NST Cyber provides comprehensive Threat Exposure Management to Global banks and Forbes 2000 companies.