Genetic testing company 23andMe is facing a class action lawsuit after users’ data was accessed without authorization – a breach it blames on customers who used a recycled password as login credentials for their account on the home DNA firm’s website.
23andMe wrote in a letter responding to attorneys representing customers whose data was exposed that no breach occurred under the provisions of the California Privacy Rights Act because users targeted in the initial breach were using login credentials that had been exposed in breaches involving other websites through the use of a tactic called “credential stuffing.” The letter was first reported by TechCrunch and confirmed independently by FOX Business.
The company reiterated the position it took when it first revealed the incident in October, writing that “unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials – that is, users, used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23and Me.”
Around 14,000 accounts of 23andMe users were targeted in the initial incident and hackers used those accounts to access the data of 6.9 million users. From the initial 14,000 breached accounts, the hacker accessed information from about 5.5 million DNA Relatives profiles and roughly 1.4 million Family Tree feature profiles connected to the compromised accounts.
The company said in December it had 14 million customer profiles at the time.
23andMe did not immediately respond to a request for comment.
“Rather than acknowledge its role in this security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, an attorney representing victims pursuing a class action lawsuit against 23andMe, said in a statement provided to FOX Business.
He also noted that “the breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords.”
“Of those millions, only a few thousand accounts were compromised due to credential stuffing,” Zavareei added. “23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever.”
In the wake of the breach, hackers posted roughly 1 million data points associated with users of Ashkenazi Jewish heritage and similar data related to over 300,000 users with Chinese heritage.
23andMe also took steps to change users’ security protocols by requiring the use of two-factor authentication for all new and existing users and also directing every customer to reset their password.
The company’s stock was down over 8% during late afternoon trading on Wednesday.