this post was submitted on 26 Jan 2024

324 points (98.5% liked)

Technology

59390 readers

4323 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

324

23andMe admits it didn't detect cyberattacks for months (techcrunch.com)

submitted 9 months ago by [email protected] to c/[email protected]

16 comments fedilink hide all child comments

all 17 comments

sorted by: hot top controversial new old

[–] [email protected] 19 points 9 months ago* (last edited 9 months ago) (2 children)

I kept my DNA out of those services, because they felt like they were on the "socks-for-cats dot com" side of the internet hosting maturity scale...

I hate being right. Maybe I'm being unfair, but I'm glad I waited.

Edit: At least it's not as stupid as someone emailed an excel sheet or left an admin password set to "princess".

In my opinion, we need much higher security standards for companies that track ancestry or DNA data, because there are active fascists out there willing to pay a premium for that data. And we need to not let that happen again. https://en.m.wikipedia.org/wiki/IBM_and_the_Holocaust

Edit 2:

Fuck. I hate being right.

https://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/

"In early October, a hacker claimed to have stolen the DNA information of 23andMe users in a post on a well-known hacking forum. As proof of the breach, the hacker published the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users, asking would-be buyers for $1 to $10 for the data per individual account."

[–] [email protected] 6 points 9 months ago

Once bitten twice shy. Except some people refuse to learn entirely so be glad that your attitude allows you to not fall into that camp.

[–] [email protected] 6 points 9 months ago

If any of your close relatives submitted their dna, you're in there too

[–] [email protected] 2 points 9 months ago (2 children)

Brute force attacks on a huge number of accounts on an online site?

[+] [email protected] 36 points 9 months ago (3 children)

[deleted]

[–] [email protected] 3 points 9 months ago (2 children)

That's only after they broke in.

So to be clear: the attackers logged into people's accounts, using those people's passwords that they stole from other sites, and then got access to those people's data and the data shared with those people.

I don't see how any of this is a hack. If you gave me your login and password, then I would be able to do the same thing. Is that hacking?

[–] [email protected] 6 points 9 months ago (1 children)

The "unauthorized access" portion is what makes it a hack. It's not a super technical hack, but it's a hack.

[–] [email protected] 2 points 9 months ago

Ahhh, I always forget that use of the term. In that case yes.

[–] [email protected] 4 points 9 months ago (1 children)

the heck was when they got the username and password. this is just the extended consequences because people use the same password for everything.

[–] [email protected] 2 points 9 months ago (1 children)

That is correct. But they didn't get that from 23andMe. They got the username and password from other sites that were hacked, and the affected users were those that had the same password on 23andme. This is not a 23andMe security issue.

[–] [email protected] 2 points 9 months ago

that's kind of fair, but part of the point is that they didn't even need to access the accounts of people that were compromised. they just needed to access someone who was related to them to access their genetic info.

[–] [email protected] 3 points 9 months ago

access to a ton of information if you were “related” to one another

This is what I never understood: isn’t that the entire selling point of the service? To share a huge amount of what should be personal data, that you wouldn’t willingly share normally? How do they still exist?

[–] [email protected] 1 points 9 months ago (2 children)

If the attack was carried out over one IP address, they should have been able to detect it.

There is no real reason why 7 million different accounts access the site from one location.

I don't know how sophisticated the attack was but the future threat is instead of DDOS attacks would be distributed ACCESS attacks where millions of controlled devices attack a site with known credentials to download small bits of information over time. Even better if you can work out ahead of time the account's general location and then assign devices in the area to access that account.

[–] [email protected] 1 points 9 months ago

yeah, pretty sure they didn't think of that

[–] [email protected] 1 points 9 months ago

That kind of attack is already a thing; whole it will most likely remain one in the future, it is one in the present as well.

[–] [email protected] 14 points 9 months ago* (last edited 9 months ago)

Credential stuffing using botnets spread over months. It would look almost identical to legit login requests.

[–] [email protected] 2 points 9 months ago

This is the best summary I could come up with:

In a data breach notification letter filed with regulators this weekend, 23andMe revealed that hackers started breaking into customers’ accounts in April 2023 and continued through most of September.

In other words, for around five months, 23andMe did not detect a series of cyberattacks where hackers were trying — and often succeeding — in brute-forcing access to customers’ accounts, according to a legally required filing 23andMe sent to California’s attorney general.

According to the company, 23andMe became aware of the breach in October when hackers advertised the stolen data in posts published on the unofficial 23andMe subreddit and separately on a notorious hacking forum.

The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

Data breach lawyers called the terms of service changes “cynical,” “self-serving,” and “a desperate attempt” to protect 23andMe against its own customers.

“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” 23andMe claimed in a letter to breach victims.

The original article contains 400 words, the summary contains 176 words. Saved 56%. I'm a bot and I'm open source!