One of the lawyers for the victims, Hassan Zavareei, told TechCrunch that 23andMe was refusing to admit its role in this data security nightmare and is leaving its customers high and dry while playing down the seriousness of these events.
In December, 23andMe confessed that hackers had nicked the genetic and ancestry data of 6.9 million users -- nearly half of all its customers. The data breach began with hackers getting into 14,000 user accounts. The hackers forced their way into this first batch of victims by using passwords that they knew were linked to the targeted customers, a trick called credential stuffing.
But from these 14,000 first victims, the hackers then got into the personal data of the other 6.9 million victims because they had signed up for 23andMe's DNA Relatives feature.
This optional feature lets customers share some of their data with people who are their relatives on the platform. In other words, by hacking into only 14,000 customers' accounts, the hackers pinched the personal data of another 6.9 million customers whose accounts they did not hack directly.
In a letter sent to hundreds of 23andMe users who are now suing the company, 23andMe said that "users stupidly reused and did not update their passwords after these past security incidents, which have nothing to do with 23andMe."
"So, the incident was not because 23andMe failed to keep reasonable security measures," the letter says.
23andMe's lawyers claimed that the stolen data could not be used to cause financial damage to the victims.
"The information the hacker might have got cannot be used for harm. As we said in the October 6, 2023 blog post, the profile information that the hacker might have seen was about the DNA Relatives feature, which a customer makes and chooses to share with other users on 23andMe's platform. This information would only be there if the victims chose to share this information with other users through the DNA Relatives feature. Also, the information the hacker might have got about the victims could not have been used to cause money harm (it did not have their social security number, driver's license number, or any payment or financial information)," the letter read.
Zavareei said: "This blaming is nonsense. 23andMe knew or should have known that many customers use reused passwords. So 23andMe should have used some of the many ways to protect against credential stuffing - especially as 23andMe keeps personal identifying information, health information, and genetic information on its platform."
"The breach hit millions of customers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used reused passwords," added Zavareei.
"Of those millions, only a few thousand accounts were hacked because of credential stuffing. 23andMe's try to avoid responsibility by blaming its customers does nothing for these millions of customers whose data was hacked through no fault of their own."