23andMe Tells Victims It's Their Fault Data Was Breached

An anonymous reader quotes a report from TechCrunch: Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch. "Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers. The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing. From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe's DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform. In other words, by hacking into only 14,000 customers' accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe." "Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures," the letter reads. [...] 23andMe's lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims. "The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe's platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver's license number, or any payment or financial information)," the letter read. "This finger pointing is nonsensical," said Zavareei. "23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing -- especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform."

"The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords," added Zavareei. "Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever."

the stolen data was freely shared to others...

[ebrandsberg]

Their position seems 100% understandable. They only thing they didn't do was leverage a database of known stolen credentials and enforce you can't reuse passwords, but I don't know of any website that does that. Chrome will alert you at the browser level if you reuse known stolen credentials however. If anything, the 14k users that reused their credentials stolen should be the ones being sued.

Re:the stolen data was freely shared to others...

[topologist]

Don't quite agree. Quoting

The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

Did 23andme have no safeguards against brute-force attacks at scale? Or identifying logins from multiple accounts across a small set of IPs etc.? Or identifying logins from a location entirely different from the customary geolocation of the user, prompting an e-mail verification?

Gmail etc. all implement similar safeguards.

Yes, password hygiene is important, but blaming an 80 year old grandma for reusing a password is ridiculous, when a giant corporation could easily add safeguards.

Re:the stolen data was freely shared to others...

[GoRK]

At the end of the day, there simply isn't a bulletproof safeguard against someone knowing your security credentials, whatever they may be. For that, 23andMe is absolutely standing on solid ground. They are quite correct that each and every user that reused a known compromised credential is to blame.

OTOH I also run a site with a large userbase and know that there is absolutely no way that something like this could completely go unnoticed as it unfolded. What % of 23andMe's users actually even log in regularly? I'd guess maybe a couple of percent if they are lucky. And suddenly a full half of your users decide to start logging in... and authentication failures for nonexistent accounts go absolutely through the roof -- these things did absolutely happen and someone did absolutely see them happening inside that business.

Re:

[Pieroxy]

At the end of the day, there simply isn't a bulletproof safeguard against someone knowing your security credentials, whatever they may be

The attackers did not know their credentials. It was a dictionary attack. At least that what I understand in the sentence "brute-forcing accounts with passwords that were known to be associated with the targeted customers". The brute forcing does not make any sense if they knew which users were associated with which passwords.

Common security measures actually do counteract that. They are 100% to blame for not caring about security at all.

Re:

[slarabee]

It was brute forcing in the sense that the malicious actor had username/password pairs but did not know if any of these pairs were valid on 23 and Me. The brute forcing was trying every pair to see which ones were valid and which ones then did not hit an MFA wall. At least then is the general implication of 'cred stuffing' being used in the article.

Re:

[Junta]

You are correct, and "brute force" is misleading, but similar protections against brute forcing should also trigger mitigation against credential stuffing. I know that if a lot of unknown accounts try to hit my services, blacklists are triggered even if not a single "bad password" had been tried.

Re:

[slarabee]

Sometimes. Depends on the sophistication of the bad guy and what signals you are teasing out of the logs.

9394 consecutive login failures for user bob.smith is easy to pick up on. That is a classic brute force. (and one for which your company is going to disolve before the bad guy blindly guesses the bob.smith password)

Bob.smith had one failed login from one IP and 17 seconds later jen.jones has one failed logon from a different IP and 9 seconds later... Mix those failures in with a thousand legit log

Re:

[John-after-logtime]

"And suddenly a full half of your users decide to start logging in... and authentication failures for nonexistent accounts go absolutely through the roof" From what I understand only a small number of logins were successful - they made use Ancestry sharing to get data from relatives. The number of failures was likely high, but I haven't seen anything describing if they were spread over space and time which could have prevented the triggering of outlier flags.

Re:

[John-after-logtime]

Not Ancestry but 23&me

Re:

[iamhigh]

I maybe agree that this could have been caught with an IDS or simple account lockouts and limitations, but credential stuffing isn't brute-force. They weren't trying thousands and millions of passwords for a single account. They were trying 3-4 known passwords used by the email address. So, it could have been done over months from many IP addresses, avoiding detection. I did rtfa, but there aren't any more details so I don't think we can really say how the initial attack occurred.

Re:

[theshowmecanuck]

Should it even matter if the site uses properly salted and hashed passwords? I mean, the actual human readable password shouldn't be stored anywhere on the site. And each site will be doing the hash at a different time, on a different machine, so presumably the seeds are all different so the hash even for the same password should be different. How are they getting the actual passwords? What am I missing? Or is this something about password managers and single point of failure?

Re:

[John-after-logtime]

Yes, some sites have bad password storage policies and when they get hacked those passwords get added to the collections that bad guys keep. In this case those collections of user + psssword pairs were used to see which ones could successfully login.

Re:

[theshowmecanuck]

So are you saying they don't hash the passwords?

Re:

[John-after-logtime]

23andme probably does. Others might not. Or some malware that infects a login operation could get passwords as they are being entered.

Re:

[bloodhawk]

credential stuffing does not involve brute force attacks. It is by its nature very hard to detect beyond doing checks that users aren't using publically compromised credentials.

Re: the stolen data was freely shared to others...

[deijmaster]

Perfectly said.

Re:

[flink]

Their position seems 100% understandable. They only thing they didn't do was leverage a database of known stolen credentials and enforce you can't reuse passwords, but I don't know of any website that does that.

Scanning for known compromised passwords is a well-known best practice and is a feature many 3rd party identity providers such as Okta/Auth0. They also should have required or at least strongly encouraged some sort of 2FA.

At the very least, they should have denied access to the DNA relatives feature to accounts that lacked 2FA. That way the blast radius of a compromised account that was protected only by a password would be limited to only that account's data.

Re:

[John-after-logtime]

I don't think they got raw DNA of relatives.

Re: the stolen data was freely shared to others...

[deijmaster]

No.

Re:

[Junta]

I'd say there's a couple of questionable items:

-They managed to get into 14,000 accounts on the back of who *knows* how many attempts. On even a trivial internet facing service, I'm dynamically blacklisting clients if they appear to be walking an account list. If for no other reason to reduce the audit burden. There are things they can do to make it less obvious but at some point the activity should have flagged some sort of throttling in this day and age. The sort of recycled account database the attac

Re:

[Pf0tzenpfritz]

Soundcloud used to do that. At least they demanded I'd change my password because the same email/password pair was listed in a different breach. They were right - shame on me. Chrome used to have no master password (I believe it still doesn't) so all your credentials are known to Google who will use them to spy on you no matter what they'll tell you. And screw 2FA if Google's in the authentification chain...

Business ethics are broken...

[garyisabusyguy]

when the ONLY ethic is to "return shareholder value" and give the customer short shrift whenever they have been wronged

Re:

[Local ID10T]

Ethics:

If you ever wonder if what you are doing is ethical or not.. it isn't. Everything after that is just rationalization.

They can't place blame on peoples bad habbits?

[Murdoch5]

23andMe is not innocent, but they do bring up a good argument, IMO, if you reused a password how can you blame them? Good password hygiene is to never reuse password, and to use password managers that generate them for you. On top of that, does 23andMe support MFA? If they do, did you turn it on?

I don't know how many details has been released, and how accurate it is, for what caused the initial cluster bleep up to gain access, but if it's due to bad password hygiene on account of the user, well it's kind of fair game for them to point a finger, although they have a massive amount to answer for.

Re:They can't place blame on peoples bad habbits?

[slarabee]

23andMe is not innocent, but they do bring up a good argument, IMO, if you reused a password how can you blame them? Good password hygiene is to never reuse password, and to use password managers that generate them for you. On top of that, does 23andMe support MFA? If they do, did you turn it on?

Since 2019, 23andMe customers have had the option to utilize authenticator app 2-factor authentication, which adds an extra layer of security to their account. Starting today, we are requiring all customers use a second step of verification to sign into their account.

^ from a November 6, 2023 notice.

Re:

[Murdoch5]

There you go, so there's no real excuse from the user's prospective. I've never checked out their site or service, nor would I, but I actually respect a company for calling out the user, for once.

Re:They can't place blame on peoples bad habbits?

[flink]

But it wasn't just the user that was harmed, it was anyone who was remotely related to the user.

Re:They can't place blame on peoples bad habbits?

[Murdoch5]

Of course, which is why 23andMe is not innocent, which I clearly pointed out. Frankly, I think anyone who submits to DNA testing for fun is a nutter, specifically because of this kind of issue.

Re:

[93 Escort Wagon]

But it wasn't just the user that was harmed, it was anyone who was remotely related to the user.

I'd also like to know how 23andMe determines that account holders are "related". It's hard to believe the initial group of 14K victims was truly related to several million other 23andMe customers, unless you're going back to some common ancestor in Africa millenia ago.

Re: They can't place blame on peoples bad habbits?

[mmdurrant]

The good news is today you learned a bit about genetics!

Re:

[bloodhawk]

yes so those remotely related users should be Sueing the guilty user. I would never ever use a service like this, but so sick of users disowning all responsibility when they had the appropriate tools in their hands to prevent the problem.

Re:

[LainTouko]

No, just anyone who was remotely related to the user and opted to share their data with anyone remotely related to them. Which you probably shouldn't do if you're worried about strangers getting hold of it.

Re:

[thegarbz]

But it wasn't just the user that was harmed, it was anyone who was remotely related to the user.

How? No I'm seriously curious. How am I harmed if e.g. my father or daughter submits something to a database and it gets breached? Given I'm not in the database how does:
a) A hacker identify that I personally am the owner of a set of DNA.
b) Use this information in any way that is able to cause me harm.

It's an invasion of privacy yes, but "harm" has specific meaning and I'm struggling to identify how someone has been "harmed" (even ignoring that the dictionary definitions of harm imply it needs to be physica

Re:

[flink]

I was presupposing that the other person was a 23andme user as well. You could have a perfectly secure account, but because some ding dong 3rd cousin had a bad password the attacker is going to get your data.

Re:

[John-after-logtime]

Depends on how much PII (Personal Identifying Information) the relative has entered about you in their on-line tree. Also, if you are in a criminal DNA database you might be identified when the cops search the genealogy databases and find your close relatives.

Re:

[ocean_soul]

If they are not innocent, what do you think they are guilty of? Having users with bad security habits? Users should make sure to use secure and unique passwords, that is just common sense. If a breach is the result of a company having bad security, that is one thing. But if this story is correct, then this is indeed entirely the fault of the users.

Re:

[Murdoch5]

Yep, but do you believe that the entire problem is the users' password hygiene? They could have made sure to rotate passwords, force MFA, and other measures, including IP locking / geotagging, but didn't.

Re:

[slarabee]

Yep, but do you believe that the entire problem is the users' password hygiene? They could have made sure to rotate passwords, force MFA, and other measures, including IP locking / geotagging, but didn't.

Unfortunately then the user experience is compromised and your users either leave or start complaining.

Password rotation I loathe. IMO all it does for the vast majority of users is encourage simple passwords with predictable rotating portions that are trivial for a malicious actor to exploit. s/^(winter|spring|summer|fall)(19|20)\d{2}$/spring2024/ There. My wordlist for passwords has now been updated. Not that I have a solution to get users to pick cryptographically strong *unique* passwords for eac

Re:

[Murdoch5]

You're right, I gave really quick possible solutions, all annoying, but they can be successfully done. Ideally they should let a user white list IP's, and locations, and force MFA, then at least they gave it a good attempt.

You're right that password rotation is generally terrible, and leads to bad passwords, and you're right users at generally terrible at picking good passwords. I personally use ProtonPass, and have it generate my passwords for me. I prefer at least 64 characters + MFA.

Re:

[John-after-logtime]

IP/location blocking would be useless for a genealogy service which people often use when travelling. The previous post is correct about the other possible protections being a bad fit. And even for MFA - how many banks to this day still do not have it as a login requirement.

Re:

[Murdoch5]

I don't know how many banks make it mandatory, but even ones who do, don't do a good job of it. My bank uses SMS codes, which are basically the worst available option. Ideally, 23andMe, should make a settings page available where you can optionally set an IP lock and or Geo lock, if you want to, then at least you'd have the option to exercise control over where a login can be allowed from. I fully realize those can break, and be a real pain in the A.

Re:

[John-after-logtime]

So you travel to a different county where your ancestors lived to lookup data at the local library. How the flip are you supposted to know what IP address to whitelist before you get there.

Re:

[Murdoch5]

You wouldn't, and in that case you'd have to document the work and bring it home before you upload it, or if you know you're going to travel, remove the IP whitelist, and just go with a Geo Lock, or some combination of steps.

Re:

[stoborrobots]

Users are not the answer to security problems [nngroup.com]

Re:

[LainTouko]

Well, "use secure and unique passwords" is not really the full story, it's "use secure and unique passwords for accounts which you care about". Specifically, when the cost (small, but definitely existent) of managing more strong passwords is less than the risk (impact times probability) of breach. Which means that some users who do not actually care if their genetic information were to become exposed for anyone to look at will have no good reason not to just use a standard password they use for every accoun

Re:

[John-after-logtime]

For how many years have I seen advice such as "have a high security password and a low security password". Which of course is wrong - have unique passwords. Also advice of "don't write down passwords" which is also wrong - write them down but keep that list is a secure location off of a computer. And what I don't see enough of "make a unique email address" by using "+" sign techniques or different accounts.

Re:

[sconeu]

Yes, they are technically correct [giphy.com], but the optics are horrible here.

You're facing a zillion dollar suit plus potential penalties from FTC, and you go do this?

Re:

[Murdoch5]

Absolutely, but I still respect them for calling out a major issue.

Re:

[bugs2squash]

The way I read it. Customer A opts into the "DNA relatives" program. Customer B has a recycled password that is then leveraged to steal customer A's PII. How is Customer A at fault for using a feature of the 23 and me ?

Aside from the basic stupidity of using 23 and me at all

Re:

[LainTouko]

Well, Customer A is opting to share this data with an unknown group of other people. If this data leaking is important to them, they should consider the possibility that one of these unknown people might leak it. They should only opt to share it with unknown people if they don't care about it leaking.

Re:

[Murdoch5]

I agree with the person who commented.

Re:

[John-after-logtime]

An option is to have the ability to limit how much of your data is shared and to what distance the relatives.

Re:

[Junta]

If one account is compromised due to credential reuse, then it's reasonable to only blame the user.

If 14,000 accounts are compromised, then it's reasonable to blame the service.

Re:

[Murdoch5]

It's certainly a balancing act of whose guilty / at fault, and who should have taken better precaution. Both parties are guilty, but I'm glad they at least called out users.

Today in, I'm not gaslighting! You're gaslighting!

[aitikin]

But, seriously, I can only think the earliest customers were the only ones who probably didn't think about the data being stored forever. The moment one big data breach occurs, I often think about what data what company might have from me that's at risk and I immediately thought about genetic testing. Not sure which data breach tripped me to that thought (Sony?), but I appreciate it.

Reusing passwords correlated with ancestry?

[CommunityMember]

I am sure 23andMe can do a research study on that......

Well...

[kaldari]

They did opt-in to share their data with random strangers on the internet. I'm just surprised this didn't happen sooner.

Re:

[sound+vision]

They opted to share their data with blood relatives on the internet. That might include strangers, but not random strangers.

I don't think it's reasonable to expect the user to understand how the database permissions and user authentication are configured, but I'd also want to see exactly what they opted in to.

But I wouldn't be surprised if the whole database was compromised, separately from this, by multiple groups. The number and kind of groups who would be interested in this data makes it inevitable. Ever

Why is this 23andmeâ(TM)s fault?

[h0m3rs1mps0n]

Their position seems reasonable. If someone chooses an insecure password, and an attacker gains access to their account.. how is it 23andmeâ(TM)s fault?

Re: Why is this 23andmeâ(TM)s fault?

[h0m3rs1mps0n]

But those other users consented to have their data shared with close DNA matches (I donâ(TM)t particularly know the criteria for that). The hacked accounts met that criteria, so their data was also exposed.

Feels like....

[argStyopa]

....since this was ostensibly medically-relevant information, this might be a massive, massive HIPAA violation.

Re:

[flink]

....since this was ostensibly medically-relevant information, this might be a massive, massive HIPAA violation.

They aren't a medical provider, insurer, or medical clearinghouse, so they aren't covered by HIPAA. Even if they were, if you are using "reasonable" security measures, you aren't negligent if someone defeats them and gets access.

Re:

[argStyopa]

Thanks, I appreciate the response. I presume those are closely-defined in legal terms?

While conventional wisdom might be that they're not a medical provider, I feel almost certain that - say, for example - a lab to which you send blood samples to be tested that then comes back saying "oh you have Tay-Sachs" would almost CERTAINLY be under HIPAA, wouldn't it?

While 23andme (and the other gene-testing companies) are certainly vastly more informal about their tests and communication...maybe that's part of the

Re:

[flink]

Thanks, I appreciate the response. I presume those are closely-defined in legal terms?

While conventional wisdom might be that they're not a medical provider, I feel almost certain that - say, for example - a lab to which you send blood samples to be tested that then comes back saying "oh you have Tay-Sachs" would almost CERTAINLY be under HIPAA, wouldn't it?

While 23andme (and the other gene-testing companies) are certainly vastly more informal about their tests and communication...maybe that's part of the problem? I see the difference between them and the "serious genetic testing lab" as being really only a difference of degree, not of kind?

Yes, these three classes are revered to as "covered entities" under HIPAA and have specific definitions. You are right that it is a subtle but important difference. If 23AndMe represented itself as a medical lab, providing diagnostics, then it would be a provider and it would be a covered entity. However, since they are very clear that they are providing an informational service and not a diagnostic tool, they are not a provider. Even though the information that comes out of it is similar as if you wer

Re:

[argStyopa]

Brilliant advice, thanks. Maybe this whole issue will make that clearer for folks?

I wonder if there is a market for a sort of genetic testing with that level of protection? I mean, it's certainly information want, but a way to let people have it in a context of at least the level of protections they can expect for their medical records?

Certainly those commercial "retail" organizations that exist today are making a pile of $ on the resale of (at the very least) aggregated info, so I wonder how much - actua

Not letting 23andme off the hook

[dynamo_mikey]

They use email as a login which isn't the most secure option, and they either failed to notice or failed to act against a massive brute force attack on their system.

Not Completely Off the Hook

[organgtool]

I agree that their liability is somewhat limited for the DNA data of the 14,000 people who reused their credentials from other sites. However, for every person that reused credentials, ~493 people who didn't reuse credentials had their DNA data stolen. I think 23AndMe is far more on the hook for protecting that data and they certainly didn't do enough to detect intrusions. However, data breaches are becoming so common and there's rarely any meaningful consequences that I don't expect any serious penalties or even significant loss of business due to this breach. Companies won't change their behavior until they're made to pay for their screwups and 23AndMe must be pretty confident of that fact given that they feel comfortable blaming their own customers rather than accept an iota of responsibility.

I can't see how they're guilty

[CAIMLAS]

I can't see how 32andMe is guilty of anything here.

They've got MFA as an account requirement. They've continually improved their account security over time. The level of security they offer is on par with what's available through online banking, and 16k accounts is really not a lot at the end of the day.

Could they have done more? Sure, there's always more you can do. Likely dozens if not hundreds of things they could have done. The same is true of every service.

It's free service for those who have already p

Re:

[Pieroxy]

They got hacked by brute force and had *nothing* to protect them against that. They didn't even notice it.

Not guilty of negligence ?

Re:I can't see how they're guilty

[slarabee]

They got hacked by brute force and had *nothing* to protect them against that. They didn't even notice it.

Not guilty of negligence ?

The phrase 'brute force' was not used in the letter sent out by 23 and Me's lawyers. That was an addition by the Tech Crunch reporter.

It was not brute force in the sense that account "bob.smith" had all 7 quadrillion possible eight character passwords tried. Or even every entry in a password list like RockYou. What 23 & Me got was a login attempt for "bob.smith" trying a very very low number of passwords that had been associated with "bob.smith" in previous breaches from other firms. Quite possibly with each attempt coming from a different IP. Or spread out over time. And mixed in with attempts to try known username and password pairs for other user names.

These attacks can be teased out with a lot of analytics, but it is not trivial.

Re:

[jvkjvk]

>It's free service for those who have already paid, as I understand it.

What kind of twisted logic is this? Yes, after you paid a lot of money, access to a simple website about your data is free. Doesn't mean lax security should be in place.

Re:

[John-after-logtime]

MFA was an option. It became a requirement after the attack was known to the public.

Despite Headline 23andme has a Good Argument

[SmaryJerry]

The headline of this article makes it appear like 23 is in the wrong but it's not so clear. The article indicates passwords were "Brute Forced" which is not just a generic leak of passwords. Brute Force attacks should be a thing of the past due to login limits and time out. A user might still use an extremely common password that can be guessed within 10 guesses anyways though. Given that the data 'stolen' on the non-hacked users is not actual DNA data, but rather just relation and profile data, then this s

Re:

[John-after-logtime]

The attack used email and password pairs known from other attack lists. So this wasn't a typical password brute force attack. Therefor I can't see how a login limit would be effective unless every login attempt (or a great number) came from the same source and I've not seen any evidence of that.

How hard is it!

[bumblebees]

How hard is it to implement a password reentry timeout... And failtoban

Re:

[John-after-logtime]

Really hard if each account had only 2 failures 2 weeks apart. We don't know about the spread over time and space, the number of failures, etc. or what failure banning they had in place.

Fuck them

[jdawgnoonan]

These companies have no ethics whatsoever. This is really not different than Purdue pharma blaming the addicts for getting addicted to Oxy other than it isn’t killing anyone. That said, we know that these types of companies also sell the genetic data that they are paid to analyze, and so there is no surprise.

Re:

[gweihir]

Unfettered capitalism at work. Absolve enterprises of all responsibilities and you will always find some greedy scum that is willing to sell it and make it cheaper than possible, i.e. the product will be dangerous.

Sure

[gweihir]

The user share responsivity by trusting this scummy company in the first place. Does not lessen the responsibility of 23andme in any way though.

Otter said it best

[evil_aaronm]

"You fucked up! You trusted us!"

Re:

[LainTouko]

It was actually more "you trusted everyone in this unknown group of other users!" (Not to reuse passwords.)

Six of one

[jd]

23&Me didn't expire passwords, didn't have much in the way of strength checks (I don't recall seeing any), and didn't mandate 2FA.

These things were under 23&Me's control.

Reuse of passwords and poor passwords are under the control of users.

So I wouldn't consider this to exonerate 23&Me - they're responsible for their shortcuts - but they should have reduced responsibility because the users are responsible for their own shortcuts.

I was going to say diminished responsibility, but that has a specifi

Re:

[John-after-logtime]

Can you name which on-line services have password expiration policies.

Full-random passwords are required for everything

[phoenix321]

Re-using passwords is gross negligence. Using any dictionary word or shorter than 10 characters is at least simple negligence.

Using weak security to protect the access to one's own DNA data is absolutely idiotic. It doesn't matter what the service enforces the passwords to be - the person using the service has to make reasonable efforts to maintain their own security. Only then can the providers be sued.

"Oh McDonald's didn't prevent or warn me from using the five-second-rule for a chicken nugget dropped on

Better controls.

[deijmaster]

Forget about credential stuffing... The second you can brute-force accounts, you're solution is weak - plain and simple.

fairs fair

[Growlley]

guess it was those users responsible for any profit - so they should get that too.

Circling the Drain !

[redelm]

I do not know 23andMe nor it's financial conditions. But I do know that blaming the victims and worse, blaming customers, is far more a legal strategy to minimize liability than a marketting strategy to attract customers. I also presume that 23andMe decisionmakers are aware of this difference, and have chosen it. I suspect they're selling-out their database to someone who will likely abuse it.

Blaming the victims for bad system design

[TomGreenhaw]

Designing a system where allowing hacked accounts to see my private data should at the very least have clear security warnings. They encourage sharing info with DNA relatives but don't make the implications obvious. It's a case of favoring sales over privacy, and with something like personal health information completely unacceptable.

According to an article in Wired magazine, there are cases of users who use unique email/usernames and complex passwords that were breeched.

In their favor, they now have em