A DNA and ancestry testing company is facing over 30 lawsuits after admitting last year that hackers stole genetic data belonging to nearly half its customer base.
According to a letter sent to a group of victims, the company claims users were at fault for reusing passwords – but several reports indicate that privacy advocates believe this deflects responsibility.
23andMe analyses customer DNA against one of the largest collections of genetic reference samples to provide ancestry reports. They claim to offer some of the most precise ancestral breakdowns in the direct-to-consumer genetics industry. The company’s proprietary algorithms generate ancestry estimates by calculating likelihood based on DNA comparisons. It provides users with information on their traits – such as eye and hair colour – their ethnic breakdown, and probability of contracting certain health conditions.
23andMe’s latest update on the massive data breach reads, “In early October, we learned that a threat actor accessed a select number of individual 23andMe.com accounts through a process called credential stuffing. That is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available.”
The hacking incident impacted 6.9 million people in December 2023, when attackers accessed sensitive genetic information as well as ancestry details. While just 14,000 accounts were directly accessed initially, the hackers were then able to scrape additional data from millions of related user profiles due to an optional feature allowing relatives to link accounts (23andMe’s DNA Relatives feature).
In a notice to hundreds now suing, the DNA company alleged “users negligently recycled and failed to update their passwords following these past security incidents.” They argued this meant the breach was “not a result of [their] alleged failure to maintain reasonable security measures.”
However, the lawyer representing victims, Hassan Zavareei, told TechCrunch that this was “shameless finger pointing,” adding that most people reuse credentials, so providers storing sensitive medical and identity data should implement protections against hacking techniques.
“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.
After the breach was disclosed last year, the company reset all passwords and mandated multi-factor authentication. However, their legal battles have escalated as over 30 class action lawsuits have now been filed against them.
Follow us on
