Genetic testing company 23andMe is being sued by some users after their data was accessed without permission. The company says it’s the users’ fault because they used old passwords for their accounts.
In a letter to lawyers representing the affected users, 23andMe said no rules were broken under the California Privacy Rights Act. They said the breach happened because some users used passwords that were already leaked in other website breaches. This method is called “credential stuffing.”
About 14,000 23andMe accounts were targeted first, and then hackers got into 6.9 million users’ data. From those 14,000 accounts, hackers got info from 5.5 million DNA Relatives profiles and about 1.4 million Family Tree profiles linked to those accounts.
The company had 14 million customer profiles at the time of the breach.
The lawyer representing the users said 23andMe is trying to blame the customers instead of taking responsibility. He said the breach affected millions of people, not just the few thousand whose passwords were reused.
Hackers also posted data related to users with Ashkenazi Jewish and Chinese heritage.
To improve security, 23andMe now requires two-factor authentication for all users and is asking everyone to change their passwords.
The company’s stock dropped by over 8% on Wednesday afternoon.