DNA testing firm doubles down on blaming victims and sics lawyer on them.

Millions of 23andMe users had their personal information stolen last year. Apparently, it’s not the firm’s responsibility—it’s the users’ own fault that a distant relative had a bad password (at least, according to a lawyer acting for 23andMe).

As a reminder: In October, 23andMe said the breach only affected a few users; in November, it grew to 17,000; and December’s official tally was 6.9 million. In today’s SB Blogwatch, we wonder how soon it’ll be before NASDAQ:ME walks back this latest claim.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Snowflakes.

Am I my Brother’s Keeper?

What’s the craic? Lorenzo Franceschi-Bicchierai reports—“23andMe tells victims it’s their fault that their data was breached”:

“Shamelessly blaming the victims”
Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, … Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told [me].
…
In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers. … The hackers broke into this first set of victims by [using] passwords that were known to be associated with the targeted customers—a technique known as credential stuffing. From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million [via] 23andMe’s DNA Relatives feature, [which] allows customers to automatically share some of their data.
…
Zavareei said that 23andMe is “shamelessly” blaming the victims of the data breach: … “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing. … Only a few thousand accounts were compromised due to credential stuffing, [but] millions of consumers’ … data were compromised through no fault of their own.”

At least the firm’s position is consistent. Claire Cameron recalls—“23andMe Blames Its Users”:

“23andMe denies this allegation”
The letter reiterates the company’s position … that a number of users who recycled passwords compromised in other data breaches targeting other websites provided a key for bad actors to gain entry into 23andMe’s DNA … matching feature and compromise millions of users. … By recycling passwords, the company means the common, but inadvisable, practice of using one password for multiple online accounts.
…
The company is facing multiple lawsuits over the data breach that collectively allege it has failed to protect users. … 23andMe denies this allegation [but] since the breach, 23andMe has instituted a two-step authentication process as the default.

What the heck? Zavareei published the letter from Ian C. Ballon at Greenberg Traurig LLP in full—but here’s a flavor:

Our firm represents 23andMe, Inc. … Each of the claims is without merit, and we urge you to consider the futility of continuing to pursue an action in this case.
…
23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials … and users negligently recycled and failed to update their passwords following … past security incidents. … Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm.
…
We trust this resolves this matter.

TL;DR? liquidise summarizes thuswise:

23andMe failed to identify brute force and credential stuffing access of 14,000 accounts. They also have a feature that grants those 14k compromised accounts effective access to 6.9 million accounts. 23andMe then claims that poor password practices are responsible for this data leak.
…
I’ve not run security at an org of their size, nor have I touched their service, but I have to imagine there were some patterns to this breach that would have been reasonable to account for ahead of time. … 2FA seems like an obvious answer here but clearly that was more than could be expected.

What do we say to 23andMe? jmorris2000 hits the nail on the head:

If your overall security is compromised by users not changing passwords, you don’t have security. You have an unlocked door with a handle that will stop people who are ethical enough to not open unlocked doors.
…
I mean, seriously? My data is compromised because somebody else’s password is insecure? You’ve just admitted that you basically have no security.

And topologist hammers the point home:

Did 23andMe have no safeguards against brute-force attacks at scale? Or identifying logins from multiple accounts across a small set of IPs, etc.? Or identifying logins from a location entirely different from the customary geolocation of the user, prompting an e-mail verification? Gmail, etc. all implement similar safeguards.
…
Blaming an 80 year old grandma for reusing a password is ridiculous. … A giant corporation could easily add safeguards.

Reluctantly, Reluctant_Human agrees:

However, ziddoap is more nuanced:

Although gweihir agrees to disagree:

Sure. The users share responsibility by trusting this scummy company. … Does not lessen the responsibility of 23andMe in any way though.

Meanwhile, ashleytwo snarks it up:

Congratulations 23andMe, your genealogical heritage is as follows:
80% Incapable of Admitting Fault
8% Victim Blaming
5% Petty
4% Whiny
3% Neanderthal

And Finally:

Kenneth G. Libbrecht giving me chair envy

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: thavis.com (via Unsplash; leveled and cropped)