23andMe, a genetic testing company, is facing over 30 lawsuits after a massive data breach, affecting nearly half of its customers. The breach, which initially compromised about 14,000 accounts through credential stuffing, eventually led to the exposure of 6.9 million users’ genetic and ancestry data. This widespread access was facilitated by users opting into the DNA Relatives feature, which shares data with people considered relatives on the platform.
In a controversial move, 23andMe blamed the victims, claiming that the breach resulted from users recycling passwords, not from the company’s security measures. Critics argue this stance overlooks the company’s responsibility to safeguard personal and genetic information against such attacks. Following the breach, 23andMe reset all customer passwords and mandated multi-factor authentication, which was previously optional. The company also modified its terms of service, seemingly to deter class action lawsuits and mass arbitration claims.