this post was submitted on 03 Jan 2024
11 points (92.3% liked)

Technology

58115 readers
4097 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
11
23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)
submitted 8 months ago by [email protected] to c/[email protected]
38 comments fedilink hide all child comments
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

top 38 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 8 months ago

I'm just of the general opinion that any personal data you entrust to any corporation is going to be at risk - regardless of it's assurances. There's also a risk of that corporation being legitimately acquired by another thus nullifying previous TOS, etc. Or worse case, they sell all your info anyway. Connected technology is moving quickly. What might seem safe to share today could become the basis of an insurance claim denial when they discover a genetic predisposition they believe you were obligated to disclose.

[–] [email protected] 1 points 8 months ago

This is at least partly true. If you reuse the same information, you should expect to get pwned

[–] [email protected] 1 points 8 months ago

I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.

[–] [email protected] 0 points 8 months ago (2 children)

“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

[–] [email protected] 1 points 8 months ago

I don't think so. Those users had opted in to share information within a certain group. They've already accepted the risk of sharing info with someone who might be untrustworthy.

Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn't mean that this sharing of information is broken by design.

If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.

There may be other reasons to criticise 23andMe's security, but this isn't a broken design.

[–] [email protected] -1 points 8 months ago (1 children)

And it's your fault you have access to them. Stop doing bad things and keep your information secure.

[–] [email protected] -1 points 8 months ago (1 children)

you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They're so common that if you don't design your system assuming the occasional user account will be compromised then you're completely ignoring a threat vector, which is on you as a designer. 23andMe didn't force 2 factor auth (https://techcrunch.com/2023/11/07/23andme-ancestry-myheritage-two-factor-by-default/) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.

[–] [email protected] -1 points 8 months ago

Didn't say /s...

[–] [email protected] 0 points 8 months ago (2 children)

23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users

I'm honestly asking what the impact to the users is from this breach. Wasn't 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?

[–] [email protected] 0 points 8 months ago (1 children)

I’m honestly asking what the impact to the users is from this breach.

The stolen info was used to databases of people with jewish ancestry that were sold on the dark web. I think there was a list of similar DB of people with chinese ancestry. 23andme's poor security practices have directly helped violent white supremecists find targets.

If you're so incompetent that you can't stop white supremecists from getting identifiable information about people from minorities, there is a compelling public interest for your company to be shut down.

[–] [email protected] -1 points 8 months ago (1 children)

That is a whoooolllee lot of assumptions

[–] [email protected] 0 points 8 months ago (1 children)

Why do you think someone would buy illegally obtained lists of people with Jewish or Chinese ancestry? And who do you think would be buying it?

[–] [email protected] -1 points 8 months ago (1 children)

Scammers, that opens up a lot of scam potential.

Hi, I’m your new cousin.

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago) (1 children)

Scammers would buy all info, not specifically targeted to people of Jewish or Chinese descent. That’s not what’s being sold.

Who do you think would want only information about people with Jewish or Chinese ancestry, and why?

[–] [email protected] -1 points 8 months ago (1 children)

OK you’re gonna have to give me a link to what you’re talking about. It feels like you are being specific, and I am being generic.

[–] [email protected] 0 points 8 months ago (1 children)

It’s the same incident, the OP article just didn’t mention it.

[–] [email protected] -1 points 8 months ago

In this case, I think it is more likely to be some type of Arab major nation, for the Jewish one, and I don’t know about the Chinese.

What I do know is there pretty much every white supremacists I have known has been one of the white supremacist stereotypes to a T.

Anything higher level than that it’s just conspiracy theory level on my part at least with that one information point.

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago) (1 children)

That's not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.

I would assume they had some deals with law enforcement to transmit data one narrow circumstances.

I'm honestly asking what the impact to the users is from this breach.

Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.

This is different. This is a breach and if you have a company taking care of such sensitive data, it's your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they've established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.

[–] [email protected] 0 points 8 months ago (1 children)

If they really do blame this on the users

It's not that they said:

It's your fault your data leaked

What they said was (paraphrasing):

A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.

Which, honestly?

Completely valid. The only way to stop this would be for 23andme to monitor these "hack lists" and notify any email that also has an account on their website.

Side note:

Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.

[–] [email protected] 0 points 8 months ago (1 children)

That's not 23 and me fault at all then. Basically boils down to password reuse. All i would say is they should have provided 2fa if they didn't.

[–] [email protected] 0 points 8 months ago (1 children)

All i would say is they should have provided 2fa if they didn’t.

At this point, every company not using 2FA is at fault for data hacks. Most people using the internet have logins to 100's of sites. Knowing where to do to change all your passwords is nearly impossible for a seasoned internet user.

[–] [email protected] 0 points 8 months ago (1 children)

A seasoned internet user has a password manager.

Not using one is your negligence, no one else's.

[–] [email protected] -1 points 8 months ago

One password to break them all, and in the dark web bind them.

[–] [email protected] 0 points 8 months ago (2 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

  1. 23andMe was not hacked or breached.
  2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
  3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
  4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
  5. All compromised accounts did not have MFA enabled.
  6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
  7. No data that wasn't opted into was shared.
  8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

[–] [email protected] 0 points 8 months ago (1 children)

I think most internet users are straight up smooth brained, i have to pull my wife's hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she's just lucky she didn't have the cc attached to it.

And she makes 3 times as much as I do, there is no helping people.

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago) (1 children)

These people remind me of my old roommate who "just wanted to live in a neighborhood where you don't have to lock your doors."

We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.

I literally told him you can't fucking will that want into reality, man.

You can't just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.

I eventually moved the fuck out because I can't deal with that kind of hippie dippie bullshit. Life isn't fucking The Secret.

[–] [email protected] 0 points 8 months ago (1 children)

I have friends that occasionally bitch about the way things are but refuse to engage with whatever systems are set up to help solve whatever given problem they have. "it shouldn't be like that! It should work like X"

Well, it doesn't. We can try to change things for the better but refusal to engage with the current system isn't an excuse for why your life is shit.

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago) (1 children)

~~The bootlickers really come out of the woodwork here to suck on corporate boot.~~

Edit: wrong thread.

[–] [email protected] -1 points 8 months ago (1 children)

What in the fuck are you talking about? You’re the one standing up for the corporation

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago) (1 children)

Yeah that is my bad, responded to the wrong thread.

In this case, the corporation isn't wrong that users aren't doing due dilligence.

[–] [email protected] -1 points 8 months ago

Happens to the best of us

[–] [email protected] -1 points 8 months ago (1 children)

Step 4 is where 23andme got hacked

[–] [email protected] 0 points 8 months ago (1 children)

By your logic I hack into every site I use by … checks notes presenting the correct username and password.

[–] [email protected] -1 points 8 months ago

It’s called social hacking,

[–] [email protected] -1 points 8 months ago* (last edited 8 months ago)

In a way, it kind of is their fault for trusting companies like this in the first place. I'd never consider using companies like this and both think and hope none of my family members would either.

Obviously, the breach is the company being incompetent like many companies are when it comes to security.

[–] [email protected] -2 points 8 months ago (1 children)

It is, it's their fault for sending their data to some company that wants your DNA. I'm curious too, but i'm not that dumb.

[–] [email protected] 0 points 8 months ago (1 children)

Victim blaming is so cool!

[–] [email protected] -1 points 8 months ago

ya'll are projecting a whole lot onto what i said here... go right ahead, i know that you will never see things any way but your own. Have a nice day.