23andMe says users’ poor cyber hygiene to blame for data breach

Following the massive data breach that exposed the genetic and ancestry data of 6.9 million 23andMe customers, the DNA testing company is now pointing the finger toward the victims in an attempt to come out unscathed from more than 30 lawsuits.

According to a letter sent to plaintiffs who have taken legal actions against 23andMe, the genetics company blames customers for being negligent and failing to use unique passwords for their accounts. Moreover, the document meticulously put together by 23andMe’s lawyers claims that a breach never occurred.

“As a preliminary matter, the plaintiffs you purport to represent were not affected by any security breach under CPRA,” reads a copy of the letter shared with TechCrunch.

“As set forth in 23andMe’s October 6, 2023 blogpost, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials – that is, users used the same username and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to updated their passwords following these past security incidents, which are unrelated to 23andMe,” 23andMe added.

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

Making matters worse, the company also said the information that may have been accessed “cannot be used for any harm.”

However, cybercriminals could use the exposed information (also leaked on a data breach forum in October 2023) to conduct highly targeted social engineering schemes against users, which can lead to financial losses and fraud.

We strongly urge all internet users who find it difficult to keep up with recommended password hygiene practices to opt for a password manager and to use any additional security measures, such as enabling 2FA or MFA, whenever available.

A dedicated identity protection solution such as Bitdefender Digital Identity Protection can also considerably help you improve your privacy and help you immediately take action in the aftermath of a breach. Key features include:

- Comprehensive dashboard where you can get an extensive overview of all your personal data, even traces from services you no longer use

- 24/7 monitoring of your data on both the public and Dark Web, immediately notifying you of incidents that may involve your information

- Simple, 1-click action items to instantly shut down any weak spots in your digital footprint