Security News > 2024 > January > Infosec experts divided over 23andMe's 'victim-blaming' stance on data breach

23andMe users' godawful password practices were supposedly to blame for the biotech company's October data disaster, according to its legal reps.

The letter, which was first reported by TechCrunch, read: "As set forth in 23andMe's October 6, 2023 blog post, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials - that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures under the CPRA.".

"From a PR perspective, the response from the biotech company was described as striking completely the wrong tone. Yvonne Eskenzi, co-founder of infosec PR agency Eskenzi, said:"From a crisis comms standpoint, 23andMe's response to its breach misses the mark completely.

In the infosec industry, experts appear to be divided on the matter, although the majority opposed the stance of 23andMe.

Prior to the data breach in October, 23andMe did not mandate the use of 2FA, but said it has supported authenticator app-based 2FA since 2019.

The Register approached 23andMe for comment but it did not respond.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/04/23andme_victim_blaming_breach/