23andMe blames users for data breach, citing recycled passwords

Genetic testing company 23andMe is facing a class action lawsuit after users’ data was accessed without authorization – a breach it blames on customers who used a recycled password as login credentials for their account on the home DNA firm’s website.

23andMe wrote in a letter responding to attorneys representing customers whose data was exposed that no breach occurred under the provisions of the California Privacy Rights Act because users targeted in the initial breach were using login credentials that had been exposed in breaches involving other websites through the use of a tactic called “credential stuffing.” The letter was first reported by TechCrunch and confirmed independently by FOX