In a bold move, 23andMe blames its customers for its data breach


Maybe it’s time you get a password manager after all

The genetic testing service 23andMe made headlines late last year when hackers pulled off a significant data breach and accessed the private information of millions of customers. In an unprecedented defense, 23andMe turned around and blamed the breach victims, saying it’s their own darn fault.

According to Business Insider, hackers didn’t get very far to begin with – initially gaining access to around 14,000 accounts using previously compromised login credentials – but when they lifted up the rug on 23andMe’s “DNA Relatives” feature, they gained access to almost half of the company's user base, or about 7 million accounts. 

The company’s “the-customer-is-at-fault” counterattack is based on 23andMe’s position that those 7 million users were lax when it came to recycling passwords. 

“That is, users used the same usernames and passwords used on as on other websites that had been subject  to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company’s attorneys said responding to one of the 30-odd lawsuits based on the breach.

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA (California Privacy Rights Act).” 

Is "shared blame" justified?

23andMe's defense is novel, no doubt about it, but can the company prove its point?

"How can I answer this question other than 'it depends?,' Caroline McCaffery, co-founder and CEO of ClearOPS, told ConsumerAffairs. 

"It depends on the level of control a user has over the corporation storing and processing the data. For example, if a bunch of records of past users had been exposed and users had no method to request deletion of data once they terminate services, it is clearly on the corporation to make sure they delete records in a timely manner and, if they did not, then the responsibility for exposure falls on them."

McCaffery thinks this question stems from the fact that users were re-using usernames and passwords, so there is responsibility on the user.

"However, I have spoken to many people who don’t know how to determine if a password has been stolen and they follow the guidance of the corporation in terms of choosing a username (how many corporations default to the email address?). So it is likely a shared responsibility in this case."

Whether you’re a 23andMe user or not, listen up

23andMe's attempt to shift responsibility by blaming its customers does little to nothing for the millions of consumers whose information was compromised without their knowledge. But, until the FTC steps in, lawyers strike a deal, or 23andMe changes its tune it looks like its users are on their own.

ConsumerAffairs asked Pieter Arntz, senior intelligence reporter at Malwarebytes, what readers should do in this situation – both as a 23andMe customer and an online user in general.

You might not like what Arntz has to say, but he says the blame cuts both ways.  

"Password reuse is a chronic issue, but the fact is that 23andMe -- and any company storing similar troves of data -- needs to have fail-safes in place that produce alerts if a large amount of data is requested and enable security teams to take action,” he told ConsumerAffairs. 

Taking action

Arntz says that if you were impacted by the 23andMe hack, check with the company to find out what’s happened and follow any specific advice they offer. ConsumerAffairs contacted 23andMe for advice in that regard, but did not get a response and, therefore, can’t offer consumer-facing suggestions.

But, for everyone else, this should be a wake-up call, especially if 23andMe’s claim that the onus is on us for password laziness. Arntz suggests that everyone revisit these basics of password protection:

  • Change your password. “You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you,” Arntz suggests.

  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 

  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.