this post was submitted on 26 Jan 2024
321 points (98.5% liked)

Technology

59446 readers
3620 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months | Firm says it didn't realize customers were being hacked::Firm says it didn't realize customers were being hacked

you are viewing a single comment's thread
view the rest of the comments
[–] Morphit@feddit.uk 4 points 9 months ago (1 children)

They wouldn't need to access 14,000 separate accounts if they had internal access to the database.

The article states they got access to "private data" from 6.9 million other users via a 'DNA relatives' feature but doesn't explain what kind of information that is. For those accounts that got directly accessed, it seems unlikely the hackers requested and intercepted an email for every one without being noticed sooner. Sounds like they only scraped what's available on the site itself but it'd be nice if the article actually detailed that.

[–] jonne@infosec.pub 0 points 9 months ago (1 children)

Ah ok, didn't know we knew those details. I guess they found an API endpoint that allowed them to do this that isn't exposed through the website.

[–] huginn@feddit.it 3 points 9 months ago* (last edited 9 months ago)

The official RCA is credential stuffing.

Reused passwords are a bitch.

The main surprise is that you were able to get to genomic data with just a password. I thought it was only ever sent over email to the account email.

Maybe the attack involved changing email as well?