23andMe blamed the poor password practices of some of its users for the data leak that affected nearly 7 million of its users in October.
Class action lawsuits against 23andMe that resulted from the cybersecurity incident allege the company violated state privacy laws including the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA) and the Illinois Genetic Information Privacy Act.
A lawyer representing 23andMe denied the allegations in a Dec. 11 letter to lawyers representing the plaintiffs in one of the lawsuits. The letter, first published by TechCrunch on Jan. 3 asserted that users — not the company — are responsible for the unauthorized access.
“[…] users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breachers, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the letter stated.
23andMe previously told SC Media that about 14,000 accounts were directly accessed through credential stuffing using information from other breaches. Once these accounts were accessed, the attackers leveraged the DNA Relatives feature to scrape additional ancestry data from millions more users.
The letter also noted that users “affirmatively elected” to share certain information with other users through the DNA Relatives feature and argued that the information accessed “cannot be used for any harm.”
23andMe says there was no security breach
The company has previously said in statements to SC Media, as well as in a blog post providing information about the incident, that there was no direct breach of 23andMe’s systems. The company’s lawyer, Ian Ballon, doubled down on this point in his letter to Hassan Zavareei, whose law firm represents the plaintiffs in Bacus v. 23andMe, Inc.
“[…] the plaintiffs you purport to represent were not affected by any security breach under the CPRA,” Ballon wrote.
The letter references the use of recycled credentials as the source of the leak in arguing that there was no failure by 23andMe to maintain reasonable security measures as required by California’s privacy law. Additionally, Ballon argued that the user data accessed does not fit the criteria for pecuniary harm, as it did not include Social Security numbers, driver’s license numbers or payment and financial information.
Data exposed in the 23andMe leak included ancestry report information, user-uploaded profile information such as names and birthplaces, and for some users, “health-related” information, the company previously said in a filing to the U.S. Securities and Exchange Commission.
The company responded to allegations that it breached California’s medical confidentiality law, saying that the health and genetic information mentioned in the lawsuit is not considered “substantive” as defined by the CMIA.
Further, 23andMe argued that there was no violation of Illinois’ genetic information privacy law because the leak of genetic information was “a result of users’ failure to safeguard their own account credentials” rather than a failure by 23andMe to safeguard the data. Additionally, the company's stance is that the exposed information is not covered by GIPA, citing a previous case involving Ancestry.com DNA information that was dismissed by an Illinois district court in 2022.
Following the October data leak, 23andMe logged out all users, forced all users to change their passwords and implemented mandatory two-factor authentication (2FA). 2FA was previously optional and was first made available on 23andMe in 2019.
Zavareei called 23andMe's arguments "nonsensical" in a statement to TechCrunch, saying, "23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information and genetic information on its platform."
SC Media reached out to 23andMe for more information about its updated security measures and did not receive a response.