23andMe blames users for data breach, citing recycled passwords

thtrangdaien

23andMe blames users for data breach, citing recycled passwords

Genetic testing company 23andMe is facing a class-action lawsuit after user data was accessed without authorization — a breach blamed on customers who used recycled passwords as login credentials for their accounts on the home DNA firm’s website.

23andMe wrote in a letter responding to lawyers representing customers whose data was exposed that no violation occurred under provisions of the California Privacy Rights Act because users targeted in the initial breach used login credentials that had been exposed in breaches involving other websites through the use of tactics that called “credential stuffing.” The letter was first reported by TechCrunch and independently verified by FOX Business.

The company reiterated the position it took when it first disclosed the incident in October, writing that “unauthorized actors managed to access certain user accounts in situations where users recycled their own login credentials – that is, users, using usernames and passwords the same one used on 23andMe.com as on other websites that have had previous security breaches, and users carelessly recycled and failed to update their passwords following this past security incident, which was unrelated to 23and Me.

Photo of 23andMe headquarters23andMe blames users for data breach. Getty Images

Around 14,000 23andMe user accounts were targeted in the initial incident and hackers used those accounts to access the data of 6.9 million users. From the initial 14,000 accounts compromised, the hackers accessed information from about 5.5 million DNA Sibling profiles and about 1.4 million Family Tree feature profiles connected to the affected accounts.

The company said in December it had 14 million customer profiles at the time.

See also  US forces attacked by Iran proxies 27 times in two weeks, Pentagon says

23andMe did not immediately respond to a request for comment.

“Instead of acknowledging its role in this security disaster, 23andMe appears to have decided to hang its customers out to dry while downplaying the seriousness of this event,” Hassan Zavareei, a lawyer representing victims who are pursuing a lawsuit against 23andMe, said in a statement. given to FOX Business.

He also stated that “the breach affected millions of users whose data was exposed through the DNA Relatives feature on the 23andMe platform, not because they use recycled passwords.”

23andMe headquartersAround 14,000 23andMe user accounts were targeted in the initial incident and hackers used those accounts to access the data of 6.9 million users. Getty Images

“Out of those millions, only a few thousand accounts have been affected by eligibility stuffing,” Zavareei added. “23andMe’s attempt to avoid responsibility by blaming its customers does nothing for these millions of consumers whose data has been compromised through no fault of their own.”

Following the breach, hackers posted approximately 1 million data points associated with users of Ashkenazi Jewish heritage and similar data associated with more than 300,000 users with Chinese heritage.

23andMe also took steps to change user security protocols by requiring the use of two-factor authentication for all new and existing users and also instructing every customer to reset their passwords.

Shares of the company were down more than 8% in late afternoon trading on Wednesday.

Categories: Trending
Source: thtrangdai.edu.vn/en/