Infosec experts divided over 23andMe's 'victim-blaming' stance on data breach
Users apparently at fault after reusing credentials the company didn't check were already compromised
23andMe users' godawful password practices were supposedly to blame for the biotech company's October data disaster, according to its legal reps.
Nope, the biotech firm's infrastructure management was certainly not at fault in any way when 6.9 million users had their data compromised after some 14,000 accounts were broken into via credential stuffing.
Users recycling credentials compromised in separate, unrelated breaches has been pinpointed by 23andMe as the main reason why a boatload of data ended up in the hands of cybercriminals. The lack of mandatory 2/MFA or checks for compromised credentials used on the site, for example, is not cited as a significant influence.
The claims were made in a letter [PDF] sent to the lawyers representing customers behind a lawsuit against 23andMe, alleging violations against the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act, the Illinois Genetic Information Privacy Act (GIPA), and various common laws.
The letter, which was first reported by TechCrunch, read: "As set forth in 23andMe's October 6, 2023 blog post, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials – that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures under the CPRA."
Hassan Zavareei, one of the lawyers representing the plaintiffs in the case, said the company is neglecting customers and downplaying the seriousness of the incident.
The blog post referenced in the letter, last updated on December 5, differs very little from the wording of the company's lawyers, making all the same points, just without playing the blame game so directly.
There is no reference to user negligence or failure in the blog, and its most recent update is concluded with a list of the additional measures the company has implemented to protect users from attacks in the future.
From a PR perspective, the response from the biotech company was described as striking completely the wrong tone. Yvonne Eskenzi, co-founder of infosec PR agency Eskenzi, said: "From a crisis comms standpoint, 23andMe's response to its breach misses the mark completely.
"The decision to blame the victims has fuelled negative press, dodged responsibility, and failed to express any compassion towards those impacted. While this is probably heavily driven by the company's legal department, the letter's tone will likely anger customers and fuel backlash. Ultimately, in many cases, the average person may not know that their password has been compromised elsewhere. It is up to an organization to make sure that its security measures are robust enough to mitigate any end-user risk. Publicly downplaying the risk and deflecting blame is undoubtedly poor PR."
In the infosec industry, experts appear to be divided on the matter, although the majority opposed the stance of 23andMe.
"Organizations should take responsibility for any cyber breaches that occur within their infrastructure," said James McQuiggan, security awareness advocate at KnowBe4.
"In today's society, multi-factor authentication should be the standard of access, authentication, and authorization when accessing sensitive information like personally identifiable information. This feature significantly reduces the risk of a successful attack due to credential stuffing and password reuse by its users."
Prior to the data breach in October, 23andMe did not mandate the use of 2FA, but said it has supported authenticator app-based 2FA since 2019.
Many others opposed the company's stance, including Rachel Tobac, CEO at SocialProof Security and member of CISA's Technical Advisory Council, who said the implementation of tools to check whether credentials have been compromised would be an effective countermeasure.
"Most organizations still allow users to sign up and continue to use passwords on their platform that have been known as compromised and could be used against their users in a credential stuffing attack on their platform," she said. "I recommend discussing integrating HaveIBeenPwned ASAP into your sign-up/sign-on flows to limit this real risk."
The average internet user is unlikely to be aware of the different tools available to check the safety of their reused credentials, relying on the platforms they engage with to alert them in the same way they typically do for weak passwords during the sign-up phase.
- Infostealer malware, weak password leaves Orange Spain RIPE for plucking
- Formal ban on ransomware payments? Asking orgs nicely to not cough up ain't working
- 23andMe responds to breach with new suit-limiting user terms
- Cybercrim claims fresh 23andMe batch takes leaked records to 5 million
Arguably, even fewer may be aware of the full consequences of reusing compromised credentials, or what a credential stuffing attack is, even if they had been made aware they were previously compromised.
The recommendation to implement the HaveIBeenPwned API was one many commentators echoed, and 2FA not being the default setting was another prominent criticism.
"Password reuse is a well-known security faux pas but it continues to occur and is often seen as a two-way street especially if second-layer authentication is not available," said Jake Moore, global cybersecurity advisor at ESET.
"Furthermore, access to large amounts of data must never be stood behind a password alone due to this age-old issue. The most successful way to counterattack password stuffing is to implement MFA by default for all users and accept the risk of losing users who are not willing to accept this protection feature."
Not all industry pros were aligned in their thinking, though. Infosec consultant Paul Moore, for example, said "passwords are chosen relative to the importance of the data it protects."
"If you reuse a weak password to 'protect' your 23andMe data, you have to accept some, if not all liability when the inevitable happens... assuming that's the point of entry," he posted to X. "Firms can only do so much."
Robert Graham, cybersecurity expert and owner of Errata Security, also took to the platform backing 23andMe, saying: "It's the customer's fault that they got hacked. It's something the customer did, not something 23andMe did. If you deliberately drive into a tree with your Toyota, it's not Toyota's fault you crashed your car," before being pulled apart in the replies.
The Register approached 23andMe for comment but it did not respond. ®