23andMe Pins Blame For Massive Data Breach On Millions Of Victims Recycling Passwords

In December of last year, genetic testing company 23andMe suffered a significant data breach. Since then, the company has been dealing with the fallout, which includes several class action lawsuits from customers whose data was compromised. However, 23andMe is shifting some blame onto its customers, blaming them for the attack and information loss.

23andMe's data breach was reported on December 1st in a Securities and Exchange Commission filing. This breach reportedly affected 6.9 million customers, though only a small subset of customers, approximately 14,000, has been actually compromised. This was due to a feature from 23andMe called “DNA Relatives,” which would link someone to other potentially related users, also revealing some information about them. This connected information could include uploaded photos, geographic location, birth year, and family tree data, among other things.


At that time, 23andMe explained that the initial 14,000 customers who were compromised had it happen due to “old passwords” which “customers had also used on other sites that were then compromised.” With the impending lawsuits, 23AndMe is changing its tune and shifting some of the responsibility onto the affected users themselves. TechCrunch reports that in a legal letter one of the victims received, 23andMe explains that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.” Therefore, this issue does not relate to 23andMe’s “alleged failure to maintain reasonable security measures.”

Of course, it is highly recommended that consumers use unique passwords across different sites, as well as additional security measures, such as two-factor authentication where possible. However, 23andMe likely had or should have had, the capability to detect credential stuffing attacks and improper data access. While the blame is shared, the organization centralizing the data should likely take the bulk of the blame, rather than the consumers who, while not doing due diligence, did not do anything wrong.

It will be interesting to see if this makes it through the court system, as it could end up being a landmark case. This could determine where fault lies when it comes to some data breaches, especially when it comes to threat actors spraying usernames and passwords from other sources to steal data, like what happened here.