23andMe blames users for security breach, says they should have been better at passwords

digital key
(Image credit: Shutterstock)

Genetic testing company 23andMe is blaming its customers for the data breach it suffered in late 2023.

According to TechCrunch, the firm sent a letter to a group of victims, claiming that these users “negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe."

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.


In late December 2023, hackers managed to break into approximately 14,000 23andMe accounts via brute-forcing, which involves trying out millions of username/password combinations, including those obtained from previous breaches elsewhere. However, some of these accounts had opted into the company’s DNA Relatives feature, which gave hackers access to personal data belonging to 6.9 million users. 

Despite the number of victims being in the millions, the company claims the stolen data cannot be abused: “The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature.”

The letter goes on to state: “Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information).”

23andMe refers to some users as plaintiffs as the company is facing more than 30 lawsuits in relation to the breach, TechCrunch claims. One of the lawyers representing the victims told the publication the company’s behavior is “shameless”:

“This finger-pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Hassan Zavareei said in an email.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” Zavareei stated.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.