The genetic testing service 23andMe made headlines late last year when hackers pulled off a significant data breach and accessed the private information of millions of customers. In an unprecedented defense, 23andMe turned around and blamed the breach victims, saying it’s their own darn fault.
According to Business Insider, hackers didn’t get very far to begin with – initially gaining access to around 14,000 accounts using previously compromised login credentials – but when they lifted up the rug on 23andMe’s “DNA Relatives” feature, they gained access to almost half of the company's user base, or about 7 million accounts.
The company’s “the-customer-is-at-fault” counterattack is based on 23andMe’s position that those 7 million users were lax when it came to recycling passwords.
“That is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company’s attorneys said responding to one of the 30-odd lawsuits based on the breach.
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA (California Privacy Rights Act).”
Whether you’re a 23andMe user or not, listen up
23andMe's attempt to shift responsibility by blaming its customers does little to nothing for the millions of consumers whose information was compromised without their knowledge. But, until the FTC steps in, lawyers strike a deal, or 23andMe changes its tune it looks like its users are on their own.
ConsumerAffairs asked Pieter Arntz, senior intelligence reporter at Malwarebytes, what readers should do in this situation – both as a 23andMe customer and an online user in general.
You might not like what Arntz has to say, but he says the blame cuts both ways.
"Password reuse is a chronic issue, but the fact is that 23andMe -- and any company storing similar troves of data -- needs to have fail-safes in place that produce alerts if a large amount of data is requested and enable security teams to take action,” he told ConsumerAffairs.
Taking action
Arntz says that if you were impacted by the 23andMe hack, check with the company to find out what’s happened and follow any specific advice they offer. ConsumerAffairs contacted 23andMe for advice in that regard, but did not get a response and, therefore, can’t offer consumer-facing suggestions.
But, for everyone else, this should be a wake-up call, especially if 23andMe’s claim that the onus is on us for password laziness. Arntz suggests that everyone revisit these basics of password protection:
Change your password. “You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you,” Arntz suggests.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password.
Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Photo Credit: Consumer Affairs News Department Images
Posted: 2024-01-22 12:48:12
