Security News > 2024 > January > Guess the company: Takes your DNA, blames you when criminals steal it, can’t spot a cyberattack for 5 months

Biotech and DNA-collection biz 23andMe, the one that blamed its own customers for the October mega-breach, just admitted it failed to detect any malicious activity for the entire five months attackers were breaking into user accounts.

In a collection of data breach notifications filed with California's attorney general Rob Bonta, 23andMe revealed attackers were using credential stuffing techniques between April 29 and September 27, 2023.

23andMe only started mandating 2FA by default in November, a month after it detected the breach.

In letters sent to lawyers representing 23andMe breach victims, the biotech firm said the breach was caused by user negligence, denying all allegations that its alleged security failures were instead the leading cause.

"The letter read:"As set forth in 23andMe's October 6, 2023 blog post, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials - that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.

Infosec experts divided over 23andMe's 'victim-blaming' stance on data breach 23andMe responds to breach with new suit-limiting user terms Cybercrim claims fresh 23andMe batch takes leaked records to 5 million DNAaaahahaha: Twins' 23andMe, Ancestry, etc genetic tests vary wildly, surprising no one.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/26/23_and_me_breach_filing/