Topics
Latest
AI
Amazon
Image Credits:Gabe Ginsberg/Getty Images for LARAS
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
fund raise
appliance
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
societal
quad
Startups
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
video
Partner Content
TechCrunch Brand Studio
Crunchboard
adjoin Us
Facingmore than 30 lawsuitsfrom victim of its massive data falling out , 23andMe is now deflecting the blame to the victims themselves in an attempt to shrive itself from any obligation , harmonize to a alphabetic character sent to a radical of dupe seen by TechCrunch .
“ Rather than recognize its role in this data security catastrophe , 23andMe has apparently determine to leave its customer out to dry out while downplaying the seriousness of these events , ” Hassan Zavareei , one of the attorney representing the dupe who get the alphabetic character from 23andMe , told TechCrunch in an email .
In December , 23andMe admitted thathackers had stolen the genic and ancestry datum of 6.9 million users , intimately one-half of all its customer .
The datum breach startle with hackers accessing only around 14,000 substance abuser account . The hackers break into this first set of victims bybrute - pressure invoice with word that were acknowledge to be associate with the targeted customers , a proficiency known as credential stuffing .
From these 14,000 initial victims , however , the hackers were capable to then get to the personal data of the other 6.9 million victims because they had choose - in to 23andMe’sDNA Relativesfeature . This optional feature countenance client to automatically deal some of their data with people who are considered their relative on the political platform .
In other words , by hacking into only 14,000 customer ’ account , the hackers after scrape personal data point of another 6.9 million customers whose accounts were not instantly hacked .
But in a letter sent to a group of hundreds of 23andMe drug user who are now litigate the company , 23andMe read that “ users negligently recycle and failed to update their passwords following these preceding security measures incident , which are unrelated to 23andMe . ”
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
“ Therefore , the incident was not a outcome of 23andMe ’s so-called unsuccessful person to exert reasonable security measures , ” the letter register .
Zavareei said that 23andMe is “ shamelessly ” blaming the dupe of the data point breach .
“ This finger pointing is laughable . 23andMe acknowledge or should have known that many consumers use reprocess passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — particularly considering that 23andMe shop personal identifying information , health info , and genetic information on its platform , ” Zavareei say in an email .
“ The breach impacted millions of consumers whose data was expose through the DNA Relatives feature on 23andMe ’s political program , not because they used recycled passwords . Of those gazillion , only a few thousand accounts were compromised due to credential dressing . 23andMe ’s attempt to shirk responsibility by blaming its customers does nothing for these jillion of consumer whose information was compromise through no fault of their own whatsoever , ” sound out Zavareei .
In reply to 23andMe ’s alphabetic character , Dante Termohs , a 23andMe customer who was bear on by the data point breach , order TechCrunch that he found “ it appalling that 23andMe is essay to obliterate from consequences or else of helping its customers . ”
23andMe ’s lawyer argued that the stolen information can not be used to inflict pecuniary harm against the victim .
“ The selective information that was potentially accessed can not be used for any scathe . As explained in the October 6 , 2023 web log station , the profile information that may have been accessed relate to the DNA Relatives feature , which a client creates and select to share with other users on 23andMe ’s platform . Such information would only be available if plaintiffs affirmatively elected to share this selective information with other users via the DNA Relatives lineament . Additionally , the information that the unauthorized player potentially obtain about complainant could not have been used to cause monetary scathe ( it did not include their social security number , driver ’s licence figure , or any defrayal or financial selective information ) , ” the letter understand .
23andMe and one of its lawyer did not respond to TechCrunch ’s postulation for commentary .
After break the falling out , 23andMe reset all customer parole , and thenrequired all customer to use multi - factor certification , which was only optional before the rift .
In an effort to pre - empt the inevitable course of study activity case and aggregated arbitrement claims,23andMe changed its terms of serve to make it more difficult for victims to band togetherwhen filing a legal title against the companionship . Lawyers with experience representing data breach victim tell TechCrunch that the changes were “ cynical , ” “ self - serving ” and “ a desperate attempt ” to protect itself and discourage customers from drop dead after the company .
clear , the changes did n’t block up what is now a flurry ofclass natural action lawsuits .
23andMe confirm hacker stole ancestry data on 6.9 million user
