DNA testing firm 23andMe has argued the victims are responsible for the breach of highly sensitive genomics data on its systems last year.
In a written reply to Tycko & Zavareei LLP, a law firm representing victims of the breach in a class action lawsuit filed in the courts in November 2023, 23andMe accused users whose accounts were accessed of “negligently” recycling and failing to update their passwords.
The DNA testing firm argued this allowed the attackers to launch a credential stuffing campaign using usernames and passwords accessed in separate breaches.
23andMe Argues its Case
“23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials – that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company stated in the letter dated December 11, 2023, that was sent to TechCrunch.
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA [California Privacy Rights Act],” 23andMe added.
In the incident, which took place in October 2023, nearly 7 million customers’ information was accessed, including a significant number of files containing information about some users’ genealogy, such as ethnicity and ancestry.
The hackers initially accessed around 14,000 user accounts via the credential stuffing campaign.
They then used this information to access the personal data of 6.9 million users who had opted into 23andMe’s DNA Relatives feature, in which customers automatically share some of their data with people who are considered their relatives on the platform.
23andMe claimed in the letter that there was also no case as the victims had elected to share their information with other users by opting into the DNA Relatives feature.
Additionally, the company said that the information the attacker potentially accessed couldn’t be used to cause “pecuniary harm” as it didn’t include their social security number, driver’s license number or any payment details.
23andMe’s Stance Criticized
In the lawsuit filing, Bacus v 23andMe, Inc., the plaintiff alleges the DNA testing firm did not take reasonable measures to secure user accounts, which resulted in the breach.
Since the incident, 23andMe confirmed it has added new security measures to protect user accounts. This includes ending all active logged-in user accounts, requiring a password reset on all user accounts and requiring all customers to use two factor authentication.
Industry experts quickly criticized 23andMe’s assertion that the victims were to blame for the breach.
Erfan Shadabi, Cybersecurity Expert at comforte AG, commented that while users do have an obligation to follow best practices in areas like password management, companies also have a duty to protect the sensitive information that has been entrusted to them, such as enforcing 2FA policies.
"Attributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity,” he stated.
Nick Rago, Field CTO at Salt Security, said that 23andMe’s argument that the breach cannot cause financial harm because it did not include information like credit card details is completely outdated.
He noted that exposing any genealogy or relationship information would be highly useful to an attacker in developing a targeted social engineering campaign to scam a consumer, steal an identity or gain privileged system access in a corporate infrastructure.
Examples of recent breaches that were rooted with a successful targeted social engineering campaign include those that affected JumpCloud, MGM and Caesars.
“These types of attacks do not take much information about the targeted individual to be effective, especially with the rise of AI technologies that are helping threat actors craft material used in their efforts,” explained Rago.
Five Lessons from the 23andMe Data Breach Reaction
Here are Infosecurity Magazine’s top five takeaways from the 23andMe letter and subsequent reaction.
1. MFA Should Be Mandatory
Research shows that practices like password recycling are prevalent, making individuals and organizations vulnerable to techniques like credential stuffing. In this landscape, relying on passwords alone to protect online accounts is insufficient. While 23andMe claimed in its letter that the victims were negligent for recycling their passwords, the firm also confirmed that it had since mandated MFA on its customer accounts, where previously it was optional.
Other organizations should consider making MFA a mandatory part of the log-in process, with Microsoft finding this layer can block over 99.9% of account compromise attacks.
2. All Data Breaches Can Cause Significant Harm
23andMe’s suggested that the breach isn’t grounds for a legal claim because the attackers did not access data that could directly target the victims’ finances. However, it is known that attackers are capable of developing sophisticated follow-up social engineering campaigns through any personal information, particularly with the help of generative AI tools.
In addition, the breach of highly sensitive genealogy and relationship information could leave victims open to other threats.
3. Users Must Have Some Responsibility for their Online Security
While 23andMe’s stance has faced significant criticism, at the same time it isn’t necessarily a good idea to completely absolve users of their online security. Individuals will face consequences for negligence in other areas of life, such as an insurance company not paying out following a burglary if the victim failed to lock their front door.
Having a blind ‘don’t blame the user’ mantra could provide less incentive for individuals to engage in secure behaviors if the organization itself is liable for every single breach that occurs. It is important the industry has a debate about the extent to which users are accountable for their own online security.
4. Cybersecurity Awareness Campaigns Must Improve
There has been a major emphasis on promoting secure behaviors online among the general public online in recent years, such as the annual Cybersecurity Awareness Month Campaign. However, bad practices like password reuse continue to be a key factor in data breaches.
With cybercriminals targeting victims indiscriminately, it is vital that awareness campaigns, from both the public and private sectors, resonate with a greater number of people.
5. It’s Time to Accelerate the Shift to Passwordless
Passwordless technologies, such as biometrics and passkeys, have evolved in recent years and offer an alternative to passwords and even MFA and password managers. For example, biometric authentication has become standard on smartphones, while big tech firms like Google, Apple and Microsoft have recently taken strides towards removing passwords from their platforms for good.
However, passwords remain the primary authentication method across most organizations, meaning simple techniques like credential stuffing continue to be effective for threat actors. It is important that businesses accelerate their move away from usernames and passwords, taking advantage of the growing availability of secure passwordless options to reduce the risk of data breaches.