When a company has plenty of egg on its face, it’s probably unwise for management to blame the chicken. The genetic testing company 23andMe, beset by lawsuits stemming from a massive data breach, recently said customers victimized by the hack have only themselves to blame.

TechCrunch reported on Wednesday that the company had sent a letter to the attorneys for a group of victims who are pursuing a class-action lawsuit. In it, the company said “users negligently recycled and failed to update their passwords following these past security incidents,” supposedly absolving 23andMe from any responsibility for misuse of personal information. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

Hassan Zavareei, a lawyer with the firm handling the class action — one of about about 30 lawsuits spawned from the October 2023 data breach — didn’t think much of 23andMe’s reasoning. “Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” he told TechCrunch.

The damage control effort may be too little, too late, and too unconvincing, but it’s not hard to see why 23andMe’s leadership is pursuing any path to minimizing liability. The original October 6 data breach announcement said about 14,000 customers were affected. By late December, though, the company disclosed that hackers had stolen data from 6.9 million users, about half of its total customer base.

The hackers behind the breach used a technique called credential stuffing, taking passwords known to be connected to the targeted customers and bombarding the accounts until they gained access. Once inside, hackers then tapped into personal data for 6.9 million customers who had signed on for 23andMe’s DNA Relatives feature, which shares data with people who are connected on the platform. “Of those millions, only a few thousand accounts were compromised due to credential stuffing,” Zavareei said. “23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever.”

The company also frantically tried to insulate itself from further liability after the announcement of the wider breach, changing its terms of service in an attempt to ward off further litigation. It also required customers to use two-factor authentication in a hurried overhaul of its security protocols.

The genetic testing company clearly didn’t read consultant Triah Allmon’s 2014 commentary on LinkedIn. Even the headline would have been good advice: “NEVER blame your client unless you want to KILL your brand!” Customer Dante Termohs was underwhelmed by 23andMe’s counterpunch. He told TechCrunch it was “appalling that 23andMe is attempting to hide from consequences instead of helping its customers.”