A 23andme DNA test kit.
Genetic testing giant 23andMe has reportedly turned the responsibility for its latest data breach back on its customers.
  • Hackers stole the data of millions of 23andMe customers in a data breach in October.
  • The hackers used previously compromised login credentials to access the data.
  • 23andMe is now reportedly telling victims that the breach is their fault.

Over the past few months, genetic testing giant 23andMe has been investigating exactly how the data of millions of its users was compromised in a data breach back in October. 

Now, after being hit by a series of class action lawsuits from victims of the breach, the company is reportedly turning the blame back to the users — telling them they should have been more cautious about recycling their login credentials. 

"Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe," the company told a group of victims in a letter initially reported by TechCrunch. "Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures under the CPRA." The CPRA — otherwise known as the California Privacy Rights Act — strengthened security measures for consumers to stop businesses from sharing their personal information. 

The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts, the company previously told Business Insider. 

One 23andMe customer impacted by the breach told TechCrunch that it's "appalling that 23andMe is attempting to hide from consequences instead of helping its customers."

The legal parties representing the victims aren't thrilled with the company's response either. "Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch. He and 23andMe did not respond to Business Insider's requests for comment.

Following the breach, the company asked all its users to reset their passwords and set up additional security measures like two-factor authentication, according to its website. It also noted that it now requires all new and existing customers to log in to their accounts using two-step verification.

In October, the company said the results of its preliminary investigation showed no indication of a data security incident within its systems. The company has reiterated that through the investigation.


Read the original article on Business Insider