In a surprising move, in a letter to legal representatives of victims of the recent 23andMe data breach, the company has laid the blame at the feet of victims themselves.
23andMe even goes as far as to claim that this wasn’t a data breach at 23andMe at all. The reasoning:
“… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
In other words, it was their own fault since they re-used their passwords for services that were breached in the past. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as “credential stuffing”, and it’s both common and effective. It works because users often use the same password for multiple websites.
What 23andMe seems to have forgotten is that only 14,000 accounts were breached by credential stuffing. Afterwards, the attackers used those accounts to access a much larger trove of data via 23andMe’s feature called DNA Relatives which matches users with their genetic relatives.
So, in what was only made possible by 23andMe, customers who didn’t re-use their passwords and even had 2FA enabled still saw their data stolen. This resulted in the data of as many as seven million 23andMe customers being offered for sa ..
Support the originator by clicking the read the rest link below.
