r/privacy • u/zhoushmoe • Jan 04 '24
data breach 23andMe tells victims it’s their fault that their data was breached
https://archive.is/i2vXR88
Jan 04 '24
[deleted]
32
u/Gaming_and_Physics Jan 04 '24
I've been wanting to take one of these ancestry tests for tons of reasons.
But I just can't bring myself to do so considering how weak most companies' security is, and how they sell my data.
12
u/Mayayana Jan 04 '24
Bingo. We're faced with a choice that most people refuse to make: You can't have privacy and security while also optimizing convenience and services. Yet people are shocked, after letting Facebook own their social life, that they see targetted ads.
14
u/sanbaba Jan 04 '24
Or anyone. It is literaly used to link you to crimes. Even if you're "not planning to commit crimes" (not really a real thing but let's move on), why would this be a good idea? Now someone has your sequence thus enabling them in the future to put a dna match for you anywhere they choose for eternity. It's the dumbest idea I have ever, ever heard of. (to say nothing of future threats, health insurance etc)
0
u/Misoriyu Jan 10 '24
this is just a bunch of fear-mongering and isn't how DNA is used in relation to crimes lol
4
2
u/Sostratus Jan 04 '24
It's probably not a good idea to think of your genome as being your "most intimate data" given that you literally leave a copy of it on everything you touch.
10
Jan 04 '24
[deleted]
3
u/Sostratus Jan 04 '24
Yeah, I'm not saying that it's a good idea to use their service, it's not. Just that it's not realistic to consider your DNA carefully guarded private information. You're not going to get the protection of a warrant requirement over every flake of skin that comes off you.
35
u/boydengougesr Jan 04 '24
I read that story too. So much for trusting these big companies with our info, right? #PrivacyFail
16
u/du_ra Jan 04 '24
I wouldn’t trust them too, but using the same password everywhere is a user problem. Yeah, you can force 2fa, but there are user who don’t want or can’t use this and then you lose customer.
9
Jan 04 '24
[deleted]
-2
u/du_ra Jan 04 '24
That’s absolute unrealistic, if you do this people will have a hard time to find a working password. And most of this lists aren’t even public available, so you need to check online services for this and pay for it.
7
Jan 04 '24
[deleted]
-5
u/du_ra Jan 04 '24
Okay, so if my password is "!siExjeg45", then nobody should be able to use this? That’s bs. So with millions and billions of leaked passwords you can try hundreds of combinations before you finding a working one…
And correlate the password with the user is not only really hard, it’s also against privacy and, at least in the EU, illegal. Beside the aspect of checking them and the companies who save the leaked one without permission. And even they don’t have every leaked list.
30
u/Killer_Bhree Jan 04 '24
…they’re not exactly wrong but it’s still bad optics and unlikely to make them look any better
0
Jan 04 '24
No, they are exactly wrong...
8
u/Killer_Bhree Jan 04 '24
Recycling passwords is a bad practice, no?
0
Jan 04 '24
Yes, completely agree but from what i'm seeing there were actually multiple breaches and they stole data not just from the people with weak/re-used passwords. I think the majority of victims did not do anything specifically wrong. Am I wrong about that?
8
u/Killer_Bhree Jan 04 '24
From what I gather, the main cause of the breach was weak passwords that attackers were able to target based on available breach data. The only fault on the company side is the “feature” of connecting with other “potential relatives” which allowed attackers to move/spread through the network—and that’s an opt-in thing iirc
5
Jan 04 '24
"The 23andMe data breach began with hackers accessing about 14,000 user accounts through a method known as credential stuffing, where they brute-forced accounts using passwords known to be associated with the targeted customers. After breaching these initial accounts, the attackers were able to access the personal data of 6.9 million other users who had opted-in to 23andMe’s DNA Relatives feature. This feature, designed to share data with potential relatives on the platform, inadvertently allowed the hackers to scrape personal data from millions of accounts not directly hacked"
https://news.yahoo.com/23andme-tells-victims-fault-data-164215889.html
So they had no methods to protect against brute forcing similar to apple's i cloud during the time of the fappening data breach and then most of the people were bit by a feature that 23 and me built... so yeah sounds like a smoke screen to me...
20
u/du_ra Jan 04 '24
If you use the same (mostly weak) password on multiple sites it is mainly your fault and the website which was hacked to get your password. Period.
And yes, enforcing 2fa is better, but there are many people who hate it or can’t use it and I’m very sure they would enter that in every link in a phishing mail.
8
Jan 04 '24
So sure if that was the only problem... they had multiple breaches and people who were not specifically target also go their data stolen, right?
6
u/du_ra Jan 04 '24
It’s the data the accounts had access to. So if you allow other persons to see your data and they get hacked, your data can be copied too, that’s true. But as far as I know it was opt-in to show it to others.
1
Jan 04 '24
I mean its on 23 to me... they built the feature and then they failed to secure their end points against basic known attacks like brute force methods... I mean how often have you come across a site that does not block you after a few incorrect attempts? This just sounds like lazy negligence...
8
u/du_ra Jan 04 '24
It was not just "brute-force", it was a credential stuffing attack. Blocking after some failed attempts is not helping much. Yes, it makes it a bit more annoying but today you just use big ip ranges or bot nets to attack. Credentials stuffing works with the vast majority of websites. Some exemptions like Google check your location, but even that is not a huge problem with vpn.
Only 2fa could really help and user which use the same password everywhere are also likely to fail for a phishing attack. And you lose customer who don’t want or can’t use 2fa.
-1
Jan 04 '24 edited Jan 04 '24
Credential stuffing attack is a known method of attack and if they cared they could have guarded against it...
companies can guard against credential stuffing. Some effective measures include:
Stronger Password Policies: Enforcing complex password requirements makes it harder for attackers to guess passwords. Multi-factor Authentication (MFA): This adds an extra layer of security beyond just a password. Regular Password Resets: Encouraging or requiring users to change passwords periodically can prevent long-term use of compromised credentials. Account Lockout Mechanisms: Temporarily locking accounts after several failed login attempts can thwart brute-force attempts. Monitoring and Alerting: Implementing systems to detect unusual login patterns and alerting users can help in early detection of such attacks. Educating Users: Informing users about the importance of unique passwords for different services can reduce the risk of credential stuffing.
6
u/du_ra Jan 04 '24
And which of these, except enforcing 2fa, is missing at 23andme? (And regular password resets are not recommend by the most security experts because it’s annoying and user tend to use even weaker passwords.)
2
Jan 04 '24
I mean all of them thats why they failed to prevent the attacks, right? If they had good opsec they would not have had this issue.
If you really want blame 14k users for a data breach that effected nearly 7 million.. you are going to need a stronger defense than that.
When I build a weak system that brakes, I do not blame my users... it was my failing. I built the damn thing.
5
u/du_ra Jan 04 '24
And as mentioned, they don’t prevent this. I work in this field and except 2fa auth nothing of this really helps.
And again about the users that were affected: So if I hack a Facebook account with 1000 friends, then it’s Facebook lack of security that I had access to the shared data of these 1000 friends? That’s crazy. These user opt-in that other people can see there data.
0
Jan 04 '24
And as mentioned, they don’t prevent this
Correct, they failed their users.
I work in this field and except 2fa auth nothing of this really helps.
So they did not implement 2fa, how is that their users fault?
And again about the users that were affected: So if I hack a Facebook account with 1000k friends, then it’s Facebook lack of security that I had access to the shared data of these 1000 friends? That’s crazy.
Sorry, I don't follow.
If you really do work in the field, I hope you learned something from this beyond: "Only the users are to blame."
If not please let me know who you work for so i can avoid using your products.
→ More replies (0)2
u/mrgreengenes42 Jan 04 '24
As the other person mentioned, virtually everyone recommends against periodic password resets these days.
https://pages.nist.gov/800-63-FAQ/#q-b05
https://blog.1password.com/should-you-change-passwords-every-90-days/
The only time passwords should be reset is if they're potentially compromised.
0
Jan 04 '24
[deleted]
6
u/RandomComputerFellow Jan 04 '24
I do not know why you are downvoted. You should never reuse passwords but it is absolutely true that Webservices should / must take precautions in case people do because there will always people with less knowledge about security who reuse them.
13
u/Truckaduckduck Jan 04 '24
23andme’s data will be the source of the next genetic cleansing. People are fools to willing give such info away. Their descendants will no doubt pay the price.
7
u/papercutsfrfr Jan 04 '24
yeah you could potentially submit your sample and indirectly implicate your moms second cousins brother who carved up a few human jack o lanterns and left a bunch of dna but got away because it wasn't in the system. but they've been holding the dna he left behind for a decade all of the sudden you send you sample in and your so freakin stoked to find out what percentage Swahili you are but instead your sample registers as a 25% match to a sample in the violent crime data base and now you have to help the cops figure out which one of your moms insane relatives bled a few people dry
5
u/Dalmus21 Jan 04 '24
And for anyone thinking that this isn't a thing, they are wrong. Some states mandate a DNA sample from anyone entering the System for this exact reason.
On one hand, why would you not want to help locate an insane mass murderer?
On the other hand, faceless unelected bureaucrats now have a huge genetic library from their own sources and from 23andMe, Ancestory.com and whoever else that can in theory eventually be used to profile people who haven't committed any crimes.
3
u/West-Progress2085 Jan 04 '24
it’s not about not catching criminals . that’s fine i guess coming from them it’s like barely neutral because it just shows you they had other plans for all this DNA, this was the plan from the beginning , this is the real business. they have all kinds of deals with pharma and insurance companies and all that. look it up. how obvious could it be when you realize SERGEI BRIN is the partner of the founder of 23andMe. do you think she came up with this business model all on her own? it’s exactly what google did with data and look at them now . kings of the Globe
2
u/Dalmus21 Jan 04 '24
Oh, I think there are individuals who actually DO have the limited goal of catching cold-case murders/rapists just like the sheeple who think it's only about learning where there ancestors probably came from.
But the companies themselves stand to make a lot of money (as you said) by selling it to anybody that has anything to do with health care. And like I said before, the Government is full of people who's goals are maintaining/growing their own power and marginalizing (or attempting to criminalize, as we've seen the past few years) anybody that would dare to question them.
2
u/sanbaba Jan 04 '24
And these dolts paid them for the "privilege".. for what? Finding their lives somehow "more meaningful" now that they realize they are 2% more inuit than expected? What the fuck is the tradeoff here?? Racist fools
3
Jan 04 '24 edited Jan 14 '24
[deleted]
2
u/West-Progress2085 Jan 04 '24 edited Jan 04 '24
edit sorry i mis read your comment so i renig my snarky comment lol
1
u/Misoriyu Jan 10 '24
genetic cleansing hasn't and still doesn't require DNA, schizo. you'd be smarter worrying about the spread of white supremacist values.
2
u/webfork2 Jan 06 '24
It's like a continuously unfolding example of what NOT to do before, during, and after a breach.
2
u/geoffala Jan 04 '24
I'm appalled that there's so many boot lickers and victim blamers in these comments with "they're right" comments. There are ways to prevent credential stuffing attacks and clearly they weren't doing it. Also the attackers were able to pull data of relatives via a compromised account, so please tell me how this was the fault of these 2nd+ degree victims?
5
u/du_ra Jan 04 '24
They agreed (opt-in!) that these accounts can read their data. If I send you a private message on Reddit and someone else is logged into your account, then it’s obvious that they can read the message.
4
1
u/Mayayana Jan 04 '24
I read their explanation. There's a story about it today on Slashdot. They have a point. First, anyone who shares such data with an online company known to exploit and share the data is asking to lose their privacy.
Beyond that, the hacks were a result of people using the same password on different sites and the hackers guessing those password. That was 14K cases. The 6.9 million resulted because some of those 14K had agreed to share their data with other people on 23andMe. So basically, these people have made their own genetic data public, in 2 capacities. AND they didn't bother with password security. There's only so much an online company can do about that. No data shared online can be considered totally secure.
One common response is that 2FA should be required, but that has its own problems. First, why not just make it an option rather than a requirement? Further, 2FA typically requires a cellphone and brings cellphone privacy/security into the equation. 2FA can also make it difficult to get into your own accounts. For example, I was recently considering buying stocks online. It turned out that no company or bank would allow me to do that without a cellphone. They want to be able to send texts, get me to install an app, and increase their tracking. They could send a confirmation code to a landline, but they won't. They could send an email code, but they won't. Yet the US Treasury works just fine that way. So I'd need to manage my money on a cellphone where I have little control over app spying. And what if I lose my cellphone? Can I get that number back? It's just a Tracfone that I don't use much. Is it possible that I might actually lose access to my own stock holdings because I lost my phone?! I'm not taking a chance. The whole idea of that kind of 2FA is little more than a scam to gather more private data and to be able to send ads via text. So I decided to skip investing. It's risky enough betting in the Wall St casino, without adding to the risk.
1
u/SqualorTrawler Jan 04 '24
Whatever the case, all sites should force multifactor authentication and any remaining sites which don't should be called out.
The best way to avoid credential-stuffing attacks is unique passwords (and ideally unique logins) for each site.
And the best way to accomplish this is with a password manager, and no, you don't have to store the DB in the cloud if you don't want to. There are locally-controlled options like the many keepass applications which don't require that.
I want to make another pitch for password managers, and this is rarely commented upon:
Password managers provide a roster or log of any place you have credentials. What this means is periodically you can audit and weed places you might have an account on (and possibly other personal data) that you don't need anymore: an online store you made a one-time purchase at. An old e-mail account you don't use. You can log in and delete those and keep your online footprint smaller.
It also provides a worklist of places to do regular password changes at.
And lastly, you can record your "password reset hints" in your password manager records, so you can answer them differently at each site. Your "first car" can be mustardRanger17$change at one place and .98fortitude!!blast at another.
The only thing that can prevent credential stuffing is multifactor authentication. There is no easy and foolproof way to defend against this without it.
2
1
u/Templar388z Jan 04 '24
I see it as 23andMe’s responsibility. Didn’t want your people to have their accounts to be breached? Then provide 2fa (ancestry does this), require more secure passwords, etc. I’m surprised a company that deals with such sensitive data has such abysmal password and security requirements.
2
1
Jan 04 '24
Saem logic as blaming victims of rape via clothes and everything- ALL but the fact a criminal commited a crime.👀 We know these assholes arent stupid. Here it is the company themselves deflecting the blame to victims; NO the most ridiculous cercumstances on part of the victim do NOT excuse the crime!🙄
If a credit card number is 1234 and I purchase a yacht, is it REALLY the fault of card holder? NO that would be me.🤣(fuck yachts. You could get a replica of the black pearl or something, but reinforced to modern standards.) Man... I hate this clown show.
-2
Jan 04 '24
Side note: The people who defect the comparison of "how a thing is handled," to "rape," in this example.
It's like a person with an English degree dismissing AAVE. Bruh. You dont know what a dialect it, or, that language famously branches off? Just because you dont like it, doesnt mean it is invalid.
Long live Urban dictionary, burn webster, oxford and all those other books.😁 /s
1
u/sanbaba Jan 04 '24
Admittedly, anyone thinking this service was ever a good idea to buy into is completely stupid, totally unconnected to any or all current events, but this level of unapologetic behavior... enronesque.
0
-1
Jan 04 '24
[deleted]
12
u/zhoushmoe Jan 04 '24
I see their PR team is already on the move here lol
-8
u/shortroundsuicide Jan 04 '24
I’m sorry but in a world full of password managers - if you use the same email and password for everything (and your password is abc123) then yes, you share part of the blame.
Since the hackers brute forced the passwords - what would YOU have suggested 23andme do differently to prevent this?
12
u/datise99 Jan 04 '24
Mandate 2fa, enforce higher password complexity, geofence user accounts based on nationality, passkeys/social logins, disable accounts after x failed attempts, warn accounts for logins with improbable travel, disable accounts for logins with impossible travel, captcha, throttle ips. All of these measures can either block or prevent the severity of these attacks.
-2
u/shortroundsuicide Jan 04 '24
Fair enough! But i think we can all agree on a couple things:
Don’t trust ANY company to keep your shit secure
Don’t reuse simple passwords for every one of your accounts
5
3
u/datise99 Jan 04 '24
We can’t expect perfect security but we shouldn’t give in to having minimum expectations met either. At all points in technology we have trust steps where companies are involved from DNS servers to email clients to keyboard apps and videogames. If you don’t want to use technology for anything important because you don’t trust anything that’s your choice. But not everyone has the means to make that choice, and as a society we increasingly don’t get one anymore as organizations move to digital services. That’s why privacy is important.
Also no matter how hard you scream from the rafters not to reuse passwords people will because were fucking stupid and make mistakes all the time. That’s why the onus is on platforms, staffed with paid experts who know better, to build solutions to negate these EXTREMELY BASIC ATTACKS. So I’m sorry but I just can’t get behind the user blaming. At most this is a learning opportunity for those users. Except that’s probably wasted too because the response from the platform is callous.
1
u/Zealousideal_Rate420 Jan 04 '24
- Make companies with bad security practices liable. If a random Reddit user knows these things and a dum dum like me can implement half of these things for my homelab, a multi-million company dealing with DNA data should do too.
1
u/Remarkable-Froyo-862 Jan 04 '24
their encryption was brute forced???
2
u/Zealousideal_Rate420 Jan 04 '24
The logins. They brute forced user passwords Then they extracted the data the users had access to, which included relatives
-3
u/shortroundsuicide Jan 04 '24
The article said they got the data. Which they got from guessing people’s passwords. Did the hackers decrypt the data??
-3
3
u/datise99 Jan 04 '24
Your take entirely depends on 23 and me’s efforts. Preventing credential stuffing is table stakes defence nowadays. Why is 2fa not mandatory? Was the attack from a small set of origins and should have been detected or a bot net? What was the average failed attempts? What was the minimum password requirements when those accounts were made? And even if you ignore all of that…it’s still not classy to blame your users.
1
u/papercutsfrfr Jan 04 '24
they are not a classy company. the are in the business of making up a bunch of nonsense that attracts orphans, people without parents and white antiracist's so they can combine with all the data google already has on you (google co founders wife is the 23 and me founder) and eventually just start duplicating folks. thats the future of credential stuffing
1
u/pimblepimble Jan 05 '24
23andme needs to be fully shutdown and audited. This was a painfully obvious internal fake job, so they could sell their entire database to Russian and Chinese governments. Its the same as the Equifax fake-out where the bosses sold the database to scammers.
Then say "it wuz da hackers wot sold it guv'nor".
Audit every single person in management AND their family members, and you'll find mysterious large payments into their banks etc.
267
u/[deleted] Jan 04 '24
Brute force protection should be one of the most basic things in place. These sites potentially have something worse than PII, but PEOPLE via their DNA.
Imagine downloading people.