Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.
I’m seeing so much FUD and misinformation being spread about this that I wonder what’s the motivation behind the stories reporting this. These are as close to the facts as I can state from what I’ve read about the situation:
- 23andMe was not hacked or breached.
- Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
- The attacker took the database dump to the dark web and attempted to sell the leaked info.
- Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
- All compromised accounts did not have MFA enabled.
- Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
- No data that wasn’t opted into was shared.
- 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).
I agree with 23andMe. I don’t see how it’s their fault that users reused their passwords from other sites and didn’t turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn’t suddenly make them culpable for users’ poor security practices.
deleted by creator
Common thing, a lot of people despise MFA. I somewhat recently talked with 1 person who works in IT (programmer) that has not set up MFA for their personal mail account.
deleted by creator
deleted by creator
It’s just odd that people get such big hate boners from ignorance. Everything I’m reading about this is telling me that 23andMe should have enabled forced MFA before this happened rather than after, which I agree with, but that doesn’t mean this result is entirely their fault either. People need to take some personal responsibility sometimes with their own personal info.
deleted by creator
Laziness alone is a pretty big reason. MFA was available and users were prompted to set it up. The fact that they didn’t should tell you something.
deleted by creator
I think most internet users are straight up smooth brained, i have to pull my wife’s hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she’s just lucky she didn’t have the cc attached to it.
And she makes 3 times as much as I do, there is no helping people.
These people remind me of my old roommate who “just wanted to live in a neighborhood where you don’t have to lock your doors.”
We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.
I literally told him you can’t fucking will that want into reality, man.
You can’t just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.
I eventually moved the fuck out because I can’t deal with that kind of hippie dippie bullshit. Life isn’t fucking The Secret.
I have friends that occasionally bitch about the way things are but refuse to engage with whatever systems are set up to help solve whatever given problem they have. “it shouldn’t be like that! It should work like X”
Well, it doesn’t. We can try to change things for the better but refusal to engage with the current system isn’t an excuse for why your life is shit.
The bootlickers really come out of the woodwork here to suck on corporate boot.Edit: wrong thread.
What in the fuck are you talking about? You’re the one standing up for the corporation
Yeah that is my bad, responded to the wrong thread.
In this case, the corporation isn’t wrong that users aren’t doing due dilligence.
Happens to the best of us
Would bet that you’re a crypto fan.
How much we talking? I’ll take that bet.
Would bet your password includes “password” or something anyone could guess in 10 minutes after viewing your Facebook profile.
Edit: Your l33t hacker name is your mother’s maiden name and the last four of your social, bro. Mines hunter1337, what’s yours?
Why?
Step 4 is where 23andme got hacked
By your logic I hack into every site I use by … checks notes presenting the correct username and password.
It’s called social hacking,
Blaming your customers is definitely a strategy. It’s not a good one, but it is a strategy.
BRB deleting my 23AndMe account
As if deleting your account deletes your data.
Surely they have a GDPR-compliant way to have your info removed. Right?
They’re an American company, and I’m not yet aware of any lawsuits setting the precedent of the GDPR applying to server infrastructure in the USA, which is outside the jurisdiction of the GDPR.
So if they’ve copied your data to their American servers already (you can bet they have), it’s there for good.
UPDATE user_data SET deleted = 1 WHERE ID = you.
Done. Data deleted. All gone forever. Definitely doesn’t just hide it from the user.
You should parameterize that query before Little Bobby enrolls.
OP spreading disinformation.
Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.
Users cry about the consequences of their bad passwords.
Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves
From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature.
How exactly are these 6.9M users at fault? They opted in to a feature of the platform that had nothing to do with their passwords.
On top of that, the company should have enforced strong passwords and forced 2FA for all accounts. What they’re doing is victim blaming.
users knowingly opted into a feature that had a clear privacy risk.
Strong passwords often aren’t at issue, password re-use is. If un-{salted, hashed} passwords were compromised in a previous breach, then it doesn’t matter how strong those passwords are.
Every user who was compromised:
- Put there DNA profile online
- Opted to share their information in some way
A further subset of users failed to use a unique and strong password.
A 2FA token (think Matrix) might have helped here, other than that, individuals need to take a greater responsibility for personal privacy. This isn’t an essential service like water, banking, electricity etc. This is a place to upload your DNA profile…
As I said elsewhere, the company implemented this feature and apparently did not do absolutely jack about the increased risk of account compromise deriving from it. If I would sit in a meeting discussing this feature I would immediately say that accounts which share data with others are way too sensitive and at least these should have 2fa enforced. If you don’t want it, you don’t share data. Probably the company does not have a good security culture and this was not done.
users knowingly opted into a feature that had a clear privacy risk.
Your aunt who still insists she’s part Cherokee is not as capable of understanding data security risks as the IT department of the multi-million dollar that offered the ludicrously stupid feature in the first place.
People use these sites once right? Who’s changing their password on a site they don’t log into anymore? Given that credential stuffing was inevitable and foreseeable, the feature is obviously a massive risk that shouldn’t have been launched.
Are you telling me a password of 23AndMe! Is bad? It meets all the requirements.
How am I spreading disinformation? I just contributed an article I found interesting for discussion.
It’s worth noting that OP simply used the article title.
The article title is a little biased, individuals must take greater personal responsibility.
I don’t know title etiquette in this forum. I used the author’s title because it is their article, not mine, and thus their opinion/research/AI output.
Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves
Tell me you didn’t read the article without telling me.
If 14,000 users who didn’t change a password on a single use website they probably only ever logged into twice gives you 6.9 million user’s personal info, that’s the company’s fault.
You didn’t read it either. They gained access to shared information between the accounts because both accounts had enabled “share my info with my relatives” option.
Logging into someones Facebook and seeing their friends and all the stuff they posted as “friends only” and their private DM discussions isn’t a hack or a vulnerability, it’s how the website works.
It doesn’t matter. It is a known attack and the company should have implemented measures against it.
At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.
Laughing a feature that lets an inevitable attack access 500 other people’s info for every comprimised account is a glaring security failure.
Accounting for foreseeable risks to users’ data is the company’s responsibility and they launched a feature that made a massive breach inevitable. It’s not the users’ fault for opting in to a feature that obviously should never have been launched.
It doesn’t matter. It is a known attack and the company should have implemented measures against it.
At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.
deleted by creator
“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”
This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account’s data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.
It’s terrible design. If they know their users are going to do this, they’re supposed to work around that. Not leave it as a vulnerability.
And it’s your fault you have access to them. Stop doing bad things and keep your information secure.
you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They’re so common that if you don’t design your system assuming the occasional user account will be compromised then you’re completely ignoring a threat vector, which is on you as a designer. 23andMe didn’t force 2 factor auth (https://techcrunch.com/2023/11/07/23andme-ancestry-myheritage-two-factor-by-default/) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.
Fiivemacs was joking, speaking in 23&me’s voice. They don’t actually believe it’s the user’s fault.
That was very much sarcasm on my part
Didn’t say /s…
I don’t think so. Those users had opted in to share information within a certain group. They’ve already accepted the risk of sharing info with someone who might be untrustworthy.
Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn’t mean that this sharing of information is broken by design.
If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.
There may be other reasons to criticise 23andMe’s security, but this isn’t a broken design.
23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users
I’m honestly asking what the impact to the users is from this breach. Wasn’t 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?
That’s not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.
I would assume they had some deals with law enforcement to transmit data one narrow circumstances.
I’m honestly asking what the impact to the users is from this breach.
Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.
This is different. This is a breach and if you have a company taking care of such sensitive data, it’s your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they’ve established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.
If they really do blame this on the users
It’s not that they said:
It’s your fault your data leaked
What they said was (paraphrasing):
A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.
Which, honestly?
Completely valid. The only way to stop this would be for 23andme to monitor these “hack lists” and notify any email that also has an account on their website.
Side note:
Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.
That’s not 23 and me fault at all then. Basically boils down to password reuse. All i would say is they should have provided 2fa if they didn’t.
All i would say is they should have provided 2fa if they didn’t.
At this point, every company not using 2FA is at fault for data hacks. Most people using the internet have logins to 100’s of sites. Knowing where to do to change all your passwords is nearly impossible for a seasoned internet user.
A seasoned internet user has a password manager.
Not using one is your negligence, no one else’s.
One password to break them all, and in the dark web bind them.
The sad thing is you have to balance the costs of requiring your customer to use 2FA with the risk of losing business because of it and the risk of losing reputation because your customers got hacked and suffered loss.
The sad thing is some (actuall most) people are brain dead, you will lose business if you make them use a complicated password or MFA and it puts them in the position to make a hard call.
They took the easy route and gave the customer the option to use MfA if they wished and unfortunately a lot of people declined. Those people should not have the ability to claim damages (or vote, for that matter)
The only way to stop this would be for 23andme to monitor these “hack lists”
Unfortunately, from the information that I’ve seen, the hack lists didn’t have these credentials. HIBP is the most popular one and it’s claimed that the database used for these wasn’t posted publicly but was instead sold on the dark web. I’m sure there’s some overlap with previous lists if people used the same passwords but the specific dataset in this case wasn’t made public like others.
I would guess (hope?) that the data sets they sell are somewhat anonymized, like listing people by an i.d. number instead of the person’s name, and not including contact information like home address and telephone number. If so then the datasets sold to companies don’t contain the personal information that hackers got in this security breach.
I’m honestly asking what the impact to the users is from this breach.
The stolen info was used to databases of people with jewish ancestry that were sold on the dark web. I think there was a list of similar DB of people with chinese ancestry. 23andme’s poor security practices have directly helped violent white supremecists find targets.
If you’re so incompetent that you can’t stop white supremecists from getting identifiable information about people from minorities, there is a compelling public interest for your company to be shut down.
That is a whoooolllee lot of assumptions
Why do you think someone would buy illegally obtained lists of people with Jewish or Chinese ancestry? And who do you think would be buying it?
Scammers, that opens up a lot of scam potential.
Hi, I’m your new cousin.
Scammers would buy all info, not specifically targeted to people of Jewish or Chinese descent. That’s not what’s being sold.
Who do you think would want only information about people with Jewish or Chinese ancestry, and why?
OK you’re gonna have to give me a link to what you’re talking about. It feels like you are being specific, and I am being generic.
It’s the same incident, the OP article just didn’t mention it.
deleted by creator
Bro just don’t have DNA.
If you were really on your sigma grindset, your DNA would have never existed.
More of a gamma grindset since if you get hit by enough of those rays, you might not have recognizable DNA anymore.
…this checks out. Gamma grindset origin story.
Too late man…
Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don’t reuse passwords.
Welp my two gmail address have been pwned. Good thing I don’t use them and I have limited use of Google services.
Just to clarify; It doesn’t necessarily mean that your Google account password is compromised. It lists data breaches of services where you used the provided email to register. The password you chose for that service at the time of the breach has been compromised. If you don’t use the same password everywhere, or changed your password after the breach, your other accounts are not compromised.
Also, as OP said, use two-factor authentication. And please also use a password manager.
I understand that. I use KeePassXC and love it. I just notice that those gmail accounts get all the spam so I abandoned them.
It’s saying I’ve been hacked on websites I’ve legitimately never even heard of, websites I have 100% never interacted with. Is this just a normal consequence of companies sharing all my data with other companies?
I can’t speak to how you ended up on the list. The way haveibeenpwned works is that they crawl publicly available credential dumps and grab the associated usernames/emails for each cred pair. However it got there, your email ended up in one of those dumps. Recommend you change your passwords, make sure you don’t repeat the same password across multiple sites and use a password manager so you don’t have to remember dozens of passwords yourself.
They’re right. It the customer’s fault for giving them the data in the first place.
But hear me out, I have no control over my cousin or aunt or some random relative getting one of these tests and now this shitty company has a pretty good idea what a large chunk of my DNA looks like. If people from both sides of my family do it they have an even better idea what my genetic profile looks like. That’s not my fault, I never consented to it, and it doesn’t seem ok.
I also know about 99.9% of your DNA.
Sorry, I thought it was obvious that we’re talking about the part that varies by individual humans…
It was, just being a smartass.
If your credit card information gets stolen because someone stole it from a website you bought something off of, is that your fault?
I can change my credit card. I can’t change my dna. This wasn’t even for any medical reasons. 23andme is just a vanity service.
I have a relative who did it.
But they are super into genealogy.
At this point, to go deeper, they would need to learn a new language and travel half way across the world.
I was not consulted before this was done. I would have cautioned against it.
And what of the money lost? Should the credit card company say “well you’re an idiot that gave sensitive information to some company, we’re not going to help you?” It’s still victim blaming.
In reality, yes. If the data breach because users were reusing passwords, then they are partially at fault. If someone gets rear ended by a drunk driver and their injuries could have been limited by by wearing a seatbelt, then yes. They are partially at fault for it. People who don’t wear their seatbelts are the same types that reuse passwords. They don’t think it will happen to them and take their luck up to that point for granted.
Even if they are partially at fault, the company tends to have more power to fix security problems than the customer does. That’s why we tend to put the onus on the company to fix these issues. It’s not really fair to put it on either one for something criminals did, but at least the company has more power to control things.
In the case of credit cards, the US industry has implemented PCI compliance to force a level of security on all the individual companies. Now, I happen to think PCI is a flawed approach. Payment gateways in most other countries work something like PayPal or Google Wallet, where only the processing company ever sees payment data. The merchant only sees that the payment is verified and has the correct amount. However, US internet sites evolved where each individual merchant has to hold on to credit card data, and that necessitates PCI. Fortunately, PCI compliance is such a PITA that many companies are turning to payment gateways like everywhere else in the world.
In the case of 23andme, they had a few broken passwords that then affected half their customer base through the relationship feature. Aside from dropping relationships, they also could have used MFA methods. My Steam account uses MFA, and it’s far less important than my DNA information.
Bad analogy. The only people who had their information exposed are people who reused passwords and people who decided to make their info semi-public. It’s more like deciding to tell all your cousins and 2nd cousins your credit card info and one of them leaked it.
And then trying to hold the card issuer liable rather than your cousin…
This is such a fucking braindead, victim blaming take.
They became a victim the moment they gave their data to that company. Why is anyone that works at 23andme more trust worthy then rando hackers? They aren’t obligated to any HIPPA laws.
I SHOULD NOT BE GETTING GASLIT FOR WHAT SEEMED LIKE A NEAT IDEA AT THE TIME
Absolutely; and this is another example in a long list which should serve as a lesson for people to not share their personal data with any company if possible. Yet, I feel that lesson will never be learned.
deleted by creator
Giving your genetic info to them is the first mistake
I see this trend of websites requesting your identification and all i think is: i don’t even trust my own government with a copy why the hell should i trust a business?
Instant skip.
And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.
If you are reusing creds you should expect to be compromised pretty easily.
A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem.
Edit: so people stop asking, here’s their docs on DNA relatives: https://customercare.23andme.com/hc/en-us/articles/212170838
Showing your genetic ancestry results makes select information available to your matches in DNA Relatives
It clearly says select information, which one could reasonably assume is protecting of your privacy. All the reports seem to imply the hackers got access to much more than just the couple fun numbers the UI shows you.
At minimum I hold them responsible for not thinking this feature through enough that it could be used for racial profiling. That’s the equivalent of being searchable on Facebook but they didn’t think to not make your email, location and phone number available to everyone who searches for you. I want to be discoverable by my friends and family but I’m not intending to make more than my name and picture available.
A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem
I mean…
You volunteered to share your info with that person.
And that person reused a email/password that was compromised.
How can 23andme prevent that?
It sucks, but it’s the fault of your relative that you entrusted with access to your information.
No different than if you handed them a hardcopy and they left it on the table of McDonald’s .
Quick edit:
It sounds like you think your account would be compromised, that’s not what happened. Only info you shared with the compromised relative becomes compromised. They don’t magically get your password.
But you still choose to make it accessible to that relatives account by accepting their request to share
Could I please have your personal information?
No.
See… it’s that easy.
Ok, who else would be able to give me your personal information. I’ll go get it from them instead.
Your mom has my contact information. You can ask her.
/pwn3d.
Oh, so you’re actually not consenting to have some personal information you’ve given to family given to me as well? Odd, you sure seemed ok when it was people having their information snagged from 23andMe.
And that’s exactly how the attackers got in in the first place lol.
The ding dongs used the same creds elsewhere which were leaked.
Thank you for explaining the point I was making to me.
So if you enabled a setting that is opt-in only that allows sharing data between accounts and you are surprised that data was shared between accounts how is that not your fault?
Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe’s response is what to expect since companies will never put their customers safety ahead of their profits.
afaik there was no breach of private data, only the kind of data shared to find relatives, which is opt-in and obviously not private to anyone who has seen how this service works. In other words, the only data “leaked” was the kind of data that was already shared with other 23andMe users.
Name, sex and ancestry were sold on the dark web, that’s a breach of private data.
The feature that lets a hacker see 500 other people’s personal information when they hack an account is obviously a massive security risk. Especially if you run a single use service - no one updates their password on a site they don’t use anymore.
Launching the feature in the first place made this inevitable.
Name, sex and ancestry were sold on the dark web, that’s a breach of private data.
It would be a breach if the data was private, but the feature itself exposes this data. That would be like presenting a concert to hundreds of people then complaining your facial attributes were leaked in social media.
I doesn’t. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member’s account and their account getting accessed because their banking password was “Password1” or their PIN was “1234”.
Even if you didn’t use a compromised password yourself, the fact that your relatives did indicates that you’re genetically predisposed to bad security practices. /s
How do you and the surprising number of people who upvoted you want options on websites to work?
These people opted into information sharing.
When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?
Wtf?
A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem.
How the hell would they prevent that if you voluntarily shared a bunch of information with the breach account? This is like being mad that your buddy’s Facebook account got breached and someone downloaded shared posts from your profile, too. It’s how the fucking service works.
Is it also the User’s fault for the 6,898,600 people that didn’t reuse a password and were still breached?
Yes, because you have to choose to share that data with other people. 23andMe isn’t responsible if grandma uses the same password for every site.
They weren’t breached. The data they willingly shared with the compromised accounts was available to the people that compromised them.
Pretty sure nobody clicked a button that said “share my data with compromised accounts.”
Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn’t exactly how genetics work is done.
Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn’t sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.
Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.
I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.
Not your fault if you did have a strong password but your data was leaked through the sharing anyways…
Lmfao what? I can’t wait to watch this play out…
I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.
Maybe there should be some type of regulation that prevents that from happening considering the average person doesn’t think of shit like that because they don’t expect to be fucked over in every conceivable way
If only Congress was literate on the issue.
If only companies could be executed.
Did you know they used to not be immortal by default? Like old companies had to definite like a shutdown date in their articles of incorporation.
Now they have human rights, are immortal, and use the planet like its a computer and they are a poorly written piece of malware.
Hint: Its gonna keep looping till it overheats and crashes. Might need to unplug it and plug it back in again.
No, we know where we are getting fucked from: behind usually, sometimes ontop so they can choke us, and the rest is always on our knees.
