23andMe, renowned for its DNA testing and analysis services, has issued a statement placing blame on its users for a data breach that occurred last year. The genomics company openly admitted that its users were not adequately securing their accounts by recycling passwords and failing to reset them. This vulnerability was exploited by hackers who launched a credential stuffing campaign, utilizing usernames and passwords leaked in other breaches.
The blame game escalated to the legal arena when Tycko & Zavareei LLP, a law firm representing the affected users, filed a lawsuit against the gene data analyzing company. The lawsuit alleged that 23andMe failed to implement basic security measures to protect user data, a standard that all companies worldwide should adhere to.
The October 2023 incident resulted in the leakage of data from over 7 million users, with 14,000 accounts falling victim to credential stuffing tactics.
Tycko & Zavareei LLP insists that all affected users should receive compensation through a legally determined process.
So, who is truly at fault?
Users bear some responsibility and should be advised to change passwords regularly. When creating passwords, they should receive digital prompts from the website prohibiting password recycling. Users are encouraged to craft complex, 14-character passwords containing alphanumeric and special characters to enhance security.
From a business perspective, 23andMe should store passwords in encrypted form, and the database must be secured with multi-factor authentication proactively. Both users and the company must play their part in upholding security standards to prevent such breaches in the future.
