23andMe: Negligent Users at Fault for Breach of 6.9M Records

When it comes to bad passwords, how much responsibility should a service provider share with its customers?

Up against an onslaught of lawsuits, 23andMe is denying liability for millions of users genetic records leaked last fall.
In
a letter sent to a group of users
suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for whatever data might have been exposed.
As was
revealed last month
, hackers didnt breach the companys internal systems. Instead, they obtained access to about 14,000 accounts using credential stuffing, then accessed data from nearly seven million more through the sites optional DNA Relatives sharing feature.
The argument raises an important question for courts, as well as the broader cybersecurity industry: What share of responsibility lies with the user, versus the service provider, when credentials get stuffed?
Everyone should know better than to use an unhygienic credential, says Steve Moore, vice president and chief security strategist at Exabeam. But at the same time, the organization that provides the service ought to have capabilities to limit the risk of that.
The user group suing 23andMe argues that the company violated the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA), and the Illinois Genetic Information Privacy Act (GIPA), and committed a number of other common law violations.
To the first point, the companys lawyers explained, users negligently recycled and failed to update their passwords following prior incidents affecting their logins, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMes alleged failure to maintain reasonable security measures under the CPRA. Similar logic applies to GIPA, though they added that 23andMe does not believe that Illinois law applies here.
23andMe has not necessarily lived up to
all of its lofty security promises
. With that said, there were account security features available to customers which might have prevented credential stuffing, including two-step verification with an authenticator app. And, following the companys
initial discovery and public notice
, it implemented a series of standard security remediations, including notifying law enforcement, terminating all active user sessions, and requiring all users to reset their passwords.
Equally important, the information that was potentially accessed cannot be used for any harm, the lawyers wrote. The profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMes platform, and the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, drivers license number, or any payment or financial information).
The
nature of the stolen data
also discounts CMIA, the letter explains, as it did not constitute medical information even though it was individually identifiable).
23andMe accounts are not uniquely insecure. Any organization you can think of that has a customer portal, whether they want to admit it or not, has this problem, just not always at this scale, says Moore.
Thus a broader, deeper issue arises. Any one reused password can be blamed on its user, but, knowing that the practice is
endemic across the Web
, does some responsibility for protecting accounts then fall to the service provider?
Liability, I think, is shared. And thats not a fun answer, Moore admits.
On one hand, users have a
laundry list of best practices
they can rely on to make account takeover not impossible, but at least very difficult.
At the same time, Moore points out, companies need to exert their own power to protect their customers, with the many tools they have at their disposal. Beyond offering (or requiring) multi-factor authentication, sites can enforce strong password thresholds, and provide notice to users when logins occur from unusual places or at unusual frequencies. Then from a legal standpoint: What do your terms of service and acceptable use policy say? When a user accepts an agreement, what do they agree that their hygiene is going to be? he asks.
I think there should be a customers bill of rights on this that says if youre managing sensitive personal information, customer portals must offer a way to check for strong credentials, a way to check against known breaches, and a way to make sure you have adaptive authentication or multi-factor that doesnt use fallible means like SMS. Then we can say: this is the minimum requirement, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
23andMe: Negligent Users at Fault for Breach of 6.9M Records