r/privacy Jan 04 '24

data breach 23andMe tells victims it’s their fault that their data was breached

https://archive.is/i2vXR
612 Upvotes

106 comments sorted by

267

u/[deleted] Jan 04 '24

Brute force protection should be one of the most basic things in place. These sites potentially have something worse than PII, but PEOPLE via their DNA.

Imagine downloading people.

131

u/TrumpetTrunkettes Jan 04 '24

You wouldn't download people.

63

u/smaxsomeass Jan 04 '24

I’d download Lucy Liu.

1

u/NearbyPassion8427 Jan 05 '24

I'd upload to Levy Tran's inbox.

17

u/FlavorJ Jan 04 '24

It wasn't brute forcing. It's unlikely they attempted more than a few different passwords for each user. They used known passwords from other breaches for those email addresses.

It's probably 99% not the fault of 23andMe, leaving that 1% for maybe-they-somehow-could-have-detected-the-massive-breach-based-on-heuristics but entirely possible it was virtually undetectable depending on the approach used (e.g. zombies in the same region as the account holders). If all the logins were from a single IP, then yeah that should've flagged something, but at some point people need to learn to not reuse passwords, especially with PII.

55

u/[deleted] Jan 04 '24

You can monitor client credentials for breaches, enforce better complexity, force 2FA, list goes on.

People there made a decision not to protect that stuff better.

33

u/Appropriate_Ant_4629 Jan 04 '24 edited Jan 04 '24

People there made a decision not to protect that stuff better.

Giving such data to a shady organization like that is already a decision to not protect their stuff.

It's like Zuckerberg's original quote about Facebook

Zuck: yea so if you ever need info about anyone at harvard
Zuck: just ask
Zuck: i have over 4000 emails, pictures, addresses, sns
Friend: what!? how’d you manage that one?
Zuck: people just submitted it
Zuck: i don’t know why
Zuck: they “trust me”
Zuck: dumb fucks

23andme is basically saying the same thing.

And they're not quite wrong.

10

u/papercutsfrfr Jan 04 '24

yeah isnt the founder sergei brins wife? that really creeped me out when i learned that.

0

u/[deleted] Jan 04 '24

[deleted]

2

u/[deleted] Jan 04 '24

Where in that list are you seeing SSN?

4

u/[deleted] Jan 04 '24

[deleted]

3

u/DarkRitualHippie Jan 04 '24

probably screen names

2

u/Coffee_Ops Jan 04 '24

Businesses don't do that because it's not their problem, and trying to do a rudimentary level of protection has a non-zero chance of opening you to much more liability ("why didn't you monitor more sites for breach", implied warranty, etc).

Nobody forces 2fa, not even my broker. It's opt in everywhere.

-10

u/FlavorJ Jan 04 '24

Forcing 2FA using SMS or authenticators (or even email verification) could have helped, but it's ultimately not their responsibility. Some services will even check leaked password lists, notifying you or even forcing you to change. Nice features, but it doesn't change the fact that it's not their fault that people reused passwords.

18

u/[deleted] Jan 04 '24

I feel like that mentality is like turning a blind eye to a problem that you know is there. Users are gonna be users. Protecting them is protecting yourself nowadays. I see it like handing someone a loaded weapon.

3

u/tickletender Jan 04 '24

To your point: handling a loaded weapon (even though *every weapon is loaded ;) *)

It’s on both parties. The person who owns the gun is ultimately responsible for it’s safe use. But if you take it to a range, the range personnel are also responsible for you

2

u/FlavorJ Jan 04 '24

Absolutely, it's in the interest of the service provider to provide comprehensive security to protect from this happening.

It's like handing a loaded weapon to someone with no training or experience who then looks down the barrel and pulls the trigger. I'm not denying you should know better, but you didn't shoot them.

Actually, it's like leaving a key under your doormat and then blaming the housing manager that you got robbed.

2

u/MrPatch Jan 04 '24

I think it's the same with banks, they enforce much stricter access controls than a shitty social media site because of the nature of the systems they provide access to; 23&me has extraordinarily personal data and as such they should shoulder a lot of the responsibility of enforcing their users to engage with MFA for access.

18

u/8acD3rLEo5 Jan 04 '24

23andme admitted it was credential stuffing which is a form of brute-forcing according to OWASP.

https://www.bleepingcomputer.com/news/security/23andme-updates-user-agreement-to-prevent-data-breach-lawsuits/

10

u/FlavorJ Jan 04 '24

Fair enough, but I disagree with the characterization. Brute-forcing traditionally implies trying every combination until a match is found, leading to conclusions like "they should have detected it" which is not necessarily true with credential-stuffing, in contrast with a sequential brute-force or dictionary attack which would be repeatedly targeting the same account and should absolutely be detectable (X login attempts in Y time).

Credential-stuffing would generally be detectable if the attacker used a relatively-small subset of originating IPs (many failed attempts for many different accounts originating from a single IP). The detectability also increases with the frequency of unique passwords leaked per email address for the same reason that traditional brute-forcing would be detectable, but then there would also be less of a chance that any of passwords would work because those email addresses with more unique passwords leaked would be less likely to be reusing a single password.

4

u/bremsspuren Jan 04 '24

Brute-forcing traditionally implies trying every combination until a match is found

That's what they're doing, only it's combinations of website and credentials, not of username and password.

Credential-stuffing would generally be detectable if the attacker used a relatively-small subset of originating IPs

At the end of the day, there's only so much you can do to keep out someone who has the correct credentials.

23andme's fuck-up, imo, is allowing the millions of other users' very personal data to be extracted via compromised accounts.

2

u/MrPatch Jan 04 '24

but not traditional brute forcing which is completely different and extremely easy to defeat.

4

u/IksNorTen Jan 04 '24

On a platform like 23andMe with such confidential data (It's literally your DNA), 2FA should be enabled by default (you're not allowed to create your account without setting 2FA), so even if it's partly down to poor user practices, the main culprit is 23andMe, which failed to properly secure its service by adding at least a second layer of security to access such confidential data.

3

u/night_filter Jan 04 '24

There are things that they could do, for example set up a system that monitors for breaches and leaked passwords and blocks/resets any likely-compromised passwords. However, as far as I know, that's still not a standard industry practice.

And yes, they could look for suspicious login activity (e.g. too many logins/attempts coming from the same IP), but attackers can potentially get around a lot of that stuff.

I don't know the details here, but the first thing that pops into my mind is, if the passwords were compromised due to a leaked password, that indicates there was no MFA in place. You could say that it's the user's fault for not setting up MFA, but IMO every service should require MFA at this point. So that's one thing that is potentially 23andMe's fault.

2

u/bremsspuren Jan 04 '24

I don't know the details here

The attackers used email-password combos from other data leaks, and got into several thousand accounts that way.

The interesting thing (imo) is that they crawled ~7m other users' data on the site from the compromised accounts.

Those users did nothing wrong (other than signing up in the first place), and I wonder if 23andme might be held liable to them.

1

u/night_filter Jan 05 '24

Do 23andMe users have access to other users' information? I wouldn't expect that, but if they can, why?

And if they can't, then how did attackers use compromised accounts to gather data on non-compromised accounts?

0

u/datise99 Jan 04 '24

Mandate 2fa? People have reused passwords since day 1 and they won’t stop until passwords are dead. That’s why we have preventative measures. Also do you know for sure the details of the attack? I haven’t seen any legit technical details.

5

u/FlavorJ Jan 04 '24

It's explained in the links. First one said "brute force" but if you go deeper they say it was leaked passwords, ergo not technically a security breach requiring mandatory reporting on their end.

Mandating MFA is fine, but it's up to them whether they do or not. Depending on the MFA it might've made no difference. (SMS spoofing, email also using the same password, etc.)

Browsers and mobile devices have strong suggested passwords with cloud-synced passwords. You don't even need a separate service.

Basically like if someone crashed into you while you were changing the AC or whatever. Sure, you could've been paying better attention (and arguably should have), but you're 100% not at fault.

3

u/[deleted] Jan 04 '24

Wrong terminology sorry. Baked AF.

88

u/[deleted] Jan 04 '24

[deleted]

32

u/Gaming_and_Physics Jan 04 '24

I've been wanting to take one of these ancestry tests for tons of reasons.

But I just can't bring myself to do so considering how weak most companies' security is, and how they sell my data.

12

u/Mayayana Jan 04 '24

Bingo. We're faced with a choice that most people refuse to make: You can't have privacy and security while also optimizing convenience and services. Yet people are shocked, after letting Facebook own their social life, that they see targetted ads.

14

u/sanbaba Jan 04 '24

Or anyone. It is literaly used to link you to crimes. Even if you're "not planning to commit crimes" (not really a real thing but let's move on), why would this be a good idea? Now someone has your sequence thus enabling them in the future to put a dna match for you anywhere they choose for eternity. It's the dumbest idea I have ever, ever heard of. (to say nothing of future threats, health insurance etc)

0

u/Misoriyu Jan 10 '24

this is just a bunch of fear-mongering and isn't how DNA is used in relation to crimes lol

4

u/Clevererer Jan 04 '24

Why make excuses for the company though?

2

u/Sostratus Jan 04 '24

It's probably not a good idea to think of your genome as being your "most intimate data" given that you literally leave a copy of it on everything you touch.

10

u/[deleted] Jan 04 '24

[deleted]

3

u/Sostratus Jan 04 '24

Yeah, I'm not saying that it's a good idea to use their service, it's not. Just that it's not realistic to consider your DNA carefully guarded private information. You're not going to get the protection of a warrant requirement over every flake of skin that comes off you.

35

u/boydengougesr Jan 04 '24

I read that story too. So much for trusting these big companies with our info, right? #PrivacyFail

16

u/du_ra Jan 04 '24

I wouldn’t trust them too, but using the same password everywhere is a user problem. Yeah, you can force 2fa, but there are user who don’t want or can’t use this and then you lose customer.

9

u/[deleted] Jan 04 '24

[deleted]

-2

u/du_ra Jan 04 '24

That’s absolute unrealistic, if you do this people will have a hard time to find a working password. And most of this lists aren’t even public available, so you need to check online services for this and pay for it.

7

u/[deleted] Jan 04 '24

[deleted]

-5

u/du_ra Jan 04 '24

Okay, so if my password is "!siExjeg45", then nobody should be able to use this? That’s bs. So with millions and billions of leaked passwords you can try hundreds of combinations before you finding a working one…

And correlate the password with the user is not only really hard, it’s also against privacy and, at least in the EU, illegal. Beside the aspect of checking them and the companies who save the leaked one without permission. And even they don’t have every leaked list.

30

u/Killer_Bhree Jan 04 '24

…they’re not exactly wrong but it’s still bad optics and unlikely to make them look any better

0

u/[deleted] Jan 04 '24

No, they are exactly wrong...

8

u/Killer_Bhree Jan 04 '24

Recycling passwords is a bad practice, no?

0

u/[deleted] Jan 04 '24

Yes, completely agree but from what i'm seeing there were actually multiple breaches and they stole data not just from the people with weak/re-used passwords. I think the majority of victims did not do anything specifically wrong. Am I wrong about that?

8

u/Killer_Bhree Jan 04 '24

From what I gather, the main cause of the breach was weak passwords that attackers were able to target based on available breach data. The only fault on the company side is the “feature” of connecting with other “potential relatives” which allowed attackers to move/spread through the network—and that’s an opt-in thing iirc

5

u/[deleted] Jan 04 '24

"The 23andMe data breach began with hackers accessing about 14,000 user accounts through a method known as credential stuffing, where they brute-forced accounts using passwords known to be associated with the targeted customers. After breaching these initial accounts, the attackers were able to access the personal data of 6.9 million other users who had opted-in to 23andMe’s DNA Relatives feature. This feature, designed to share data with potential relatives on the platform, inadvertently allowed the hackers to scrape personal data from millions of accounts not directly hacked"

https://news.yahoo.com/23andme-tells-victims-fault-data-164215889.html

So they had no methods to protect against brute forcing similar to apple's i cloud during the time of the fappening data breach and then most of the people were bit by a feature that 23 and me built... so yeah sounds like a smoke screen to me...

20

u/du_ra Jan 04 '24

If you use the same (mostly weak) password on multiple sites it is mainly your fault and the website which was hacked to get your password. Period.

And yes, enforcing 2fa is better, but there are many people who hate it or can’t use it and I’m very sure they would enter that in every link in a phishing mail.

8

u/[deleted] Jan 04 '24

So sure if that was the only problem... they had multiple breaches and people who were not specifically target also go their data stolen, right?

6

u/du_ra Jan 04 '24

It’s the data the accounts had access to. So if you allow other persons to see your data and they get hacked, your data can be copied too, that’s true. But as far as I know it was opt-in to show it to others.

1

u/[deleted] Jan 04 '24

I mean its on 23 to me... they built the feature and then they failed to secure their end points against basic known attacks like brute force methods... I mean how often have you come across a site that does not block you after a few incorrect attempts? This just sounds like lazy negligence...

8

u/du_ra Jan 04 '24

It was not just "brute-force", it was a credential stuffing attack. Blocking after some failed attempts is not helping much. Yes, it makes it a bit more annoying but today you just use big ip ranges or bot nets to attack. Credentials stuffing works with the vast majority of websites. Some exemptions like Google check your location, but even that is not a huge problem with vpn.

Only 2fa could really help and user which use the same password everywhere are also likely to fail for a phishing attack. And you lose customer who don’t want or can’t use 2fa.

-1

u/[deleted] Jan 04 '24 edited Jan 04 '24

Credential stuffing attack is a known method of attack and if they cared they could have guarded against it...

companies can guard against credential stuffing. Some effective measures include:

Stronger Password Policies: Enforcing complex password requirements makes it harder for attackers to guess passwords.

Multi-factor Authentication (MFA): This adds an extra layer of security beyond just a password.

Regular Password Resets: Encouraging or requiring users to change passwords periodically can prevent long-term use of compromised credentials.

Account Lockout Mechanisms: Temporarily locking accounts after several failed login attempts can thwart brute-force attempts.

Monitoring and Alerting: Implementing systems to detect unusual login patterns and alerting users can help in early detection of such attacks.

Educating Users: Informing users about the importance of unique passwords for different services can reduce the risk of credential stuffing.

6

u/du_ra Jan 04 '24

And which of these, except enforcing 2fa, is missing at 23andme? (And regular password resets are not recommend by the most security experts because it’s annoying and user tend to use even weaker passwords.)

2

u/[deleted] Jan 04 '24

I mean all of them thats why they failed to prevent the attacks, right? If they had good opsec they would not have had this issue.

If you really want blame 14k users for a data breach that effected nearly 7 million.. you are going to need a stronger defense than that.

When I build a weak system that brakes, I do not blame my users... it was my failing. I built the damn thing.

5

u/du_ra Jan 04 '24

And as mentioned, they don’t prevent this. I work in this field and except 2fa auth nothing of this really helps.

And again about the users that were affected: So if I hack a Facebook account with 1000 friends, then it’s Facebook lack of security that I had access to the shared data of these 1000 friends? That’s crazy. These user opt-in that other people can see there data.

0

u/[deleted] Jan 04 '24

And as mentioned, they don’t prevent this

Correct, they failed their users.

I work in this field and except 2fa auth nothing of this really helps.

So they did not implement 2fa, how is that their users fault?

And again about the users that were affected: So if I hack a Facebook account with 1000k friends, then it’s Facebook lack of security that I had access to the shared data of these 1000 friends? That’s crazy.

Sorry, I don't follow.

If you really do work in the field, I hope you learned something from this beyond: "Only the users are to blame."

If not please let me know who you work for so i can avoid using your products.

→ More replies (0)

0

u/[deleted] Jan 04 '24

[deleted]

6

u/RandomComputerFellow Jan 04 '24

I do not know why you are downvoted. You should never reuse passwords but it is absolutely true that Webservices should / must take precautions in case people do because there will always people with less knowledge about security who reuse them.

13

u/Truckaduckduck Jan 04 '24

23andme’s data will be the source of the next genetic cleansing. People are fools to willing give such info away. Their descendants will no doubt pay the price.

7

u/papercutsfrfr Jan 04 '24

yeah you could potentially submit your sample and indirectly implicate your moms second cousins brother who carved up a few human jack o lanterns and left a bunch of dna but got away because it wasn't in the system. but they've been holding the dna he left behind for a decade all of the sudden you send you sample in and your so freakin stoked to find out what percentage Swahili you are but instead your sample registers as a 25% match to a sample in the violent crime data base and now you have to help the cops figure out which one of your moms insane relatives bled a few people dry

5

u/Dalmus21 Jan 04 '24

And for anyone thinking that this isn't a thing, they are wrong. Some states mandate a DNA sample from anyone entering the System for this exact reason.

On one hand, why would you not want to help locate an insane mass murderer?

On the other hand, faceless unelected bureaucrats now have a huge genetic library from their own sources and from 23andMe, Ancestory.com and whoever else that can in theory eventually be used to profile people who haven't committed any crimes.

3

u/West-Progress2085 Jan 04 '24

it’s not about not catching criminals . that’s fine i guess coming from them it’s like barely neutral because it just shows you they had other plans for all this DNA, this was the plan from the beginning , this is the real business. they have all kinds of deals with pharma and insurance companies and all that. look it up. how obvious could it be when you realize SERGEI BRIN is the partner of the founder of 23andMe. do you think she came up with this business model all on her own? it’s exactly what google did with data and look at them now . kings of the Globe

2

u/Dalmus21 Jan 04 '24

Oh, I think there are individuals who actually DO have the limited goal of catching cold-case murders/rapists just like the sheeple who think it's only about learning where there ancestors probably came from.

But the companies themselves stand to make a lot of money (as you said) by selling it to anybody that has anything to do with health care. And like I said before, the Government is full of people who's goals are maintaining/growing their own power and marginalizing (or attempting to criminalize, as we've seen the past few years) anybody that would dare to question them.

2

u/sanbaba Jan 04 '24

And these dolts paid them for the "privilege".. for what? Finding their lives somehow "more meaningful" now that they realize they are 2% more inuit than expected? What the fuck is the tradeoff here?? Racist fools

3

u/[deleted] Jan 04 '24 edited Jan 14 '24

[deleted]

2

u/West-Progress2085 Jan 04 '24 edited Jan 04 '24

edit sorry i mis read your comment so i renig my snarky comment lol

1

u/Misoriyu Jan 10 '24

genetic cleansing hasn't and still doesn't require DNA, schizo. you'd be smarter worrying about the spread of white supremacist values.

2

u/webfork2 Jan 06 '24

It's like a continuously unfolding example of what NOT to do before, during, and after a breach.

2

u/geoffala Jan 04 '24

I'm appalled that there's so many boot lickers and victim blamers in these comments with "they're right" comments. There are ways to prevent credential stuffing attacks and clearly they weren't doing it. Also the attackers were able to pull data of relatives via a compromised account, so please tell me how this was the fault of these 2nd+ degree victims?

5

u/du_ra Jan 04 '24

They agreed (opt-in!) that these accounts can read their data. If I send you a private message on Reddit and someone else is logged into your account, then it’s obvious that they can read the message.

4

u/TheAspiringFarmer Jan 04 '24

At risk of being captain obvious here…they’re actually right.

1

u/Mayayana Jan 04 '24

I read their explanation. There's a story about it today on Slashdot. They have a point. First, anyone who shares such data with an online company known to exploit and share the data is asking to lose their privacy.

Beyond that, the hacks were a result of people using the same password on different sites and the hackers guessing those password. That was 14K cases. The 6.9 million resulted because some of those 14K had agreed to share their data with other people on 23andMe. So basically, these people have made their own genetic data public, in 2 capacities. AND they didn't bother with password security. There's only so much an online company can do about that. No data shared online can be considered totally secure.

One common response is that 2FA should be required, but that has its own problems. First, why not just make it an option rather than a requirement? Further, 2FA typically requires a cellphone and brings cellphone privacy/security into the equation. 2FA can also make it difficult to get into your own accounts. For example, I was recently considering buying stocks online. It turned out that no company or bank would allow me to do that without a cellphone. They want to be able to send texts, get me to install an app, and increase their tracking. They could send a confirmation code to a landline, but they won't. They could send an email code, but they won't. Yet the US Treasury works just fine that way. So I'd need to manage my money on a cellphone where I have little control over app spying. And what if I lose my cellphone? Can I get that number back? It's just a Tracfone that I don't use much. Is it possible that I might actually lose access to my own stock holdings because I lost my phone?! I'm not taking a chance. The whole idea of that kind of 2FA is little more than a scam to gather more private data and to be able to send ads via text. So I decided to skip investing. It's risky enough betting in the Wall St casino, without adding to the risk.

1

u/SqualorTrawler Jan 04 '24

Whatever the case, all sites should force multifactor authentication and any remaining sites which don't should be called out.

The best way to avoid credential-stuffing attacks is unique passwords (and ideally unique logins) for each site.

And the best way to accomplish this is with a password manager, and no, you don't have to store the DB in the cloud if you don't want to. There are locally-controlled options like the many keepass applications which don't require that.

I want to make another pitch for password managers, and this is rarely commented upon:

Password managers provide a roster or log of any place you have credentials. What this means is periodically you can audit and weed places you might have an account on (and possibly other personal data) that you don't need anymore: an online store you made a one-time purchase at. An old e-mail account you don't use. You can log in and delete those and keep your online footprint smaller.

It also provides a worklist of places to do regular password changes at.

And lastly, you can record your "password reset hints" in your password manager records, so you can answer them differently at each site. Your "first car" can be mustardRanger17$change at one place and .98fortitude!!blast at another.

The only thing that can prevent credential stuffing is multifactor authentication. There is no easy and foolproof way to defend against this without it.

2

u/notaballitsjustblue Jan 04 '24

But they’re right.

1

u/Templar388z Jan 04 '24

I see it as 23andMe’s responsibility. Didn’t want your people to have their accounts to be breached? Then provide 2fa (ancestry does this), require more secure passwords, etc. I’m surprised a company that deals with such sensitive data has such abysmal password and security requirements.

2

u/du_ra Jan 04 '24

Ancrestry does this AFTER this happened, and as far as I know after 23andme.

1

u/[deleted] Jan 04 '24

Saem logic as blaming victims of rape via clothes and everything- ALL but the fact a criminal commited a crime.👀 We know these assholes arent stupid. Here it is the company themselves deflecting the blame to victims; NO the most ridiculous cercumstances on part of the victim do NOT excuse the crime!🙄

If a credit card number is 1234 and I purchase a yacht, is it REALLY the fault of card holder? NO that would be me.🤣(fuck yachts. You could get a replica of the black pearl or something, but reinforced to modern standards.) Man... I hate this clown show.

-2

u/[deleted] Jan 04 '24

Side note: The people who defect the comparison of "how a thing is handled," to "rape," in this example.

It's like a person with an English degree dismissing AAVE. Bruh. You dont know what a dialect it, or, that language famously branches off? Just because you dont like it, doesnt mean it is invalid.

Long live Urban dictionary, burn webster, oxford and all those other books.😁 /s

1

u/sanbaba Jan 04 '24

Admittedly, anyone thinking this service was ever a good idea to buy into is completely stupid, totally unconnected to any or all current events, but this level of unapologetic behavior... enronesque.

0

u/[deleted] Jan 04 '24

[deleted]

2

u/du_ra Jan 04 '24

They did.

-1

u/[deleted] Jan 04 '24

[deleted]

12

u/zhoushmoe Jan 04 '24

I see their PR team is already on the move here lol

-8

u/shortroundsuicide Jan 04 '24

I’m sorry but in a world full of password managers - if you use the same email and password for everything (and your password is abc123) then yes, you share part of the blame.

Since the hackers brute forced the passwords - what would YOU have suggested 23andme do differently to prevent this?

12

u/datise99 Jan 04 '24

Mandate 2fa, enforce higher password complexity, geofence user accounts based on nationality, passkeys/social logins, disable accounts after x failed attempts, warn accounts for logins with improbable travel, disable accounts for logins with impossible travel, captcha, throttle ips. All of these measures can either block or prevent the severity of these attacks.

-2

u/shortroundsuicide Jan 04 '24

Fair enough! But i think we can all agree on a couple things:

  1. Don’t trust ANY company to keep your shit secure

  2. Don’t reuse simple passwords for every one of your accounts

5

u/TrumpetTrunkettes Jan 04 '24

Whelp. Time to nuke those banking accounts.

6

u/shortroundsuicide Jan 04 '24

That’s why i only pay for things in handjobs

3

u/datise99 Jan 04 '24

We can’t expect perfect security but we shouldn’t give in to having minimum expectations met either. At all points in technology we have trust steps where companies are involved from DNS servers to email clients to keyboard apps and videogames. If you don’t want to use technology for anything important because you don’t trust anything that’s your choice. But not everyone has the means to make that choice, and as a society we increasingly don’t get one anymore as organizations move to digital services. That’s why privacy is important.

Also no matter how hard you scream from the rafters not to reuse passwords people will because were fucking stupid and make mistakes all the time. That’s why the onus is on platforms, staffed with paid experts who know better, to build solutions to negate these EXTREMELY BASIC ATTACKS. So I’m sorry but I just can’t get behind the user blaming. At most this is a learning opportunity for those users. Except that’s probably wasted too because the response from the platform is callous.

1

u/Zealousideal_Rate420 Jan 04 '24
  1. Make companies with bad security practices liable. If a random Reddit user knows these things and a dum dum like me can implement half of these things for my homelab, a multi-million company dealing with DNA data should do too.

1

u/Remarkable-Froyo-862 Jan 04 '24

their encryption was brute forced???

2

u/Zealousideal_Rate420 Jan 04 '24

The logins. They brute forced user passwords Then they extracted the data the users had access to, which included relatives

-3

u/shortroundsuicide Jan 04 '24

The article said they got the data. Which they got from guessing people’s passwords. Did the hackers decrypt the data??

-3

u/Remarkable-Froyo-862 Jan 04 '24

their encryption was brute forced???

3

u/datise99 Jan 04 '24

Your take entirely depends on 23 and me’s efforts. Preventing credential stuffing is table stakes defence nowadays. Why is 2fa not mandatory? Was the attack from a small set of origins and should have been detected or a bot net? What was the average failed attempts? What was the minimum password requirements when those accounts were made? And even if you ignore all of that…it’s still not classy to blame your users.

1

u/papercutsfrfr Jan 04 '24

they are not a classy company. the are in the business of making up a bunch of nonsense that attracts orphans, people without parents and white antiracist's so they can combine with all the data google already has on you (google co founders wife is the 23 and me founder) and eventually just start duplicating folks. thats the future of credential stuffing

1

u/pimblepimble Jan 05 '24

23andme needs to be fully shutdown and audited. This was a painfully obvious internal fake job, so they could sell their entire database to Russian and Chinese governments. Its the same as the Equifax fake-out where the bosses sold the database to scammers.

Then say "it wuz da hackers wot sold it guv'nor".

Audit every single person in management AND their family members, and you'll find mysterious large payments into their banks etc.