this post was submitted on 03 Jan 2024
747 points (93.7% liked)

Technology

59135 readers
2184 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

top 50 comments
sorted by: hot top controversial new old
[–] dpkonofa@lemmy.world 202 points 10 months ago (27 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

  1. 23andMe was not hacked or breached.
  2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
  3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
  4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
  5. All compromised accounts did not have MFA enabled.
  6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
  7. No data that wasn't opted into was shared.
  8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

[–] Kittenstix@lemmy.world 64 points 10 months ago (6 children)

I think most internet users are straight up smooth brained, i have to pull my wife's hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she's just lucky she didn't have the cc attached to it.

And she makes 3 times as much as I do, there is no helping people.

[–] SnotFlickerman@lemmy.blahaj.zone 35 points 10 months ago* (last edited 10 months ago) (3 children)

These people remind me of my old roommate who "just wanted to live in a neighborhood where you don't have to lock your doors."

We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.

I literally told him you can't fucking will that want into reality, man.

You can't just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.

I eventually moved the fuck out because I can't deal with that kind of hippie dippie bullshit. Life isn't fucking The Secret.

[–] c0mbatbag3l@lemmy.world 24 points 10 months ago (4 children)

I have friends that occasionally bitch about the way things are but refuse to engage with whatever systems are set up to help solve whatever given problem they have. "it shouldn't be like that! It should work like X"

Well, it doesn't. We can try to change things for the better but refusal to engage with the current system isn't an excuse for why your life is shit.

load more comments (4 replies)
load more comments (2 replies)
load more comments (5 replies)
[–] MimicJar@lemmy.world 13 points 10 months ago (4 children)

I agree, by all accounts 23andMe didn't do anything wrong, however could they have done more?

For example the 14,000 compromised accounts.

  • Did they all login from the same location?
  • Did they all login around the same time?
  • Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?
  • Did these accounts, after logging in, perform actions that seemed automated?
  • Did these accounts access more data than the average user?

In hindsight some of these questions might be easier to answer. It's possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It's also possible they did everything right.

A full investigation makes sense.

[–] dpkonofa@lemmy.world 25 points 10 months ago (2 children)

I already said they could have done more. They could have forced MFA.

All the other bullet points were already addressed: they used a botnet that, combined with the "last login location" allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.

A full investigation makes sense but the OP is about 23andMe's statement that the crux is users reusing passwords and not enabling MFA and they're right about that. They could have done more but, even then, there's no guarantee that someone with the right username/password combo could be detected.

load more comments (2 replies)
load more comments (3 replies)
load more comments (24 replies)
[–] KingThrillgore@lemmy.ml 51 points 10 months ago (1 children)

Blaming your customers is definitely a strategy. It's not a good one, but it is a strategy.

BRB deleting my 23AndMe account

[–] Rodeo@lemmy.ca 13 points 10 months ago (4 children)

As if deleting your account deletes your data.

load more comments (4 replies)
[–] douglasg14b@lemmy.world 43 points 10 months ago (10 children)

OP spreading disinformation.

Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.

Users cry about the consequences of their bad passwords.

Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves

[–] mp04610@lemm.ee 17 points 10 months ago (2 children)

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature.

How exactly are these 6.9M users at fault? They opted in to a feature of the platform that had nothing to do with their passwords.

On top of that, the company should have enforced strong passwords and forced 2FA for all accounts. What they're doing is victim blaming.

load more comments (2 replies)
[–] AdamEatsAss@lemmy.world 16 points 10 months ago* (last edited 10 months ago)

Are you telling me a password of 23AndMe! Is bad? It meets all the requirements.

load more comments (8 replies)
[–] elscallr@lemmy.world 37 points 10 months ago (1 children)

Reusing credentials is their fault. Sure, 23&me should've done better, but someone was likely to get fucked, and if you're using the same password everywhere it is objectively your fault. Get a password manager, don't make the key the same compromised password, and stop being stupid.

load more comments (1 replies)
[–] EndOfLine@lemmy.world 33 points 10 months ago (9 children)

23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users

I'm honestly asking what the impact to the users is from this breach. Wasn't 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?

[–] hoshikarakitaridia@sh.itjust.works 30 points 10 months ago* (last edited 10 months ago) (1 children)

That's not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.

I would assume they had some deals with law enforcement to transmit data one narrow circumstances.

I'm honestly asking what the impact to the users is from this breach.

Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.

This is different. This is a breach and if you have a company taking care of such sensitive data, it's your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they've established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.

[–] givesomefucks@lemmy.world 17 points 10 months ago (6 children)

If they really do blame this on the users

It's not that they said:

It's your fault your data leaked

What they said was (paraphrasing):

A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.

Which, honestly?

Completely valid. The only way to stop this would be for 23andme to monitor these "hack lists" and notify any email that also has an account on their website.

Side note:

Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.

load more comments (6 replies)
load more comments (8 replies)
[–] reverendsteveii@lemm.ee 32 points 10 months ago (7 children)

“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

load more comments (7 replies)
[–] Dasnap@lemmy.world 28 points 10 months ago (4 children)
load more comments (4 replies)
[–] Duamerthrax@lemmy.world 23 points 10 months ago (6 children)

They're right. It the customer's fault for giving them the data in the first place.

[–] lagomorphlecture@lemm.ee 21 points 10 months ago (3 children)

But hear me out, I have no control over my cousin or aunt or some random relative getting one of these tests and now this shitty company has a pretty good idea what a large chunk of my DNA looks like. If people from both sides of my family do it they have an even better idea what my genetic profile looks like. That's not my fault, I never consented to it, and it doesn't seem ok.

load more comments (3 replies)
[–] Buffaloaf@lemmy.world 11 points 10 months ago (7 children)

If your credit card information gets stolen because someone stole it from a website you bought something off of, is that your fault?

load more comments (7 replies)
load more comments (4 replies)
[–] SocialMediaRefugee@lemmy.world 20 points 10 months ago (1 children)

Giving your genetic info to them is the first mistake

[–] CrowAirbrush@lemmy.world 12 points 10 months ago

I see this trend of websites requesting your identification and all i think is: i don't even trust my own government with a copy why the hell should i trust a business?

Instant skip.

[–] reverendsteveii@lemm.ee 20 points 10 months ago (5 children)

https://haveibeenpwned.com/

Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don't reuse passwords.

load more comments (5 replies)
[–] TheEighthDoctor@lemmy.world 19 points 10 months ago (14 children)

And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.

If you are reusing creds you should expect to be compromised pretty easily.

[–] Max_P@lemmy.max-p.me 28 points 10 months ago* (last edited 10 months ago) (7 children)

A successful breach of a family member's account due to their bad security shouldn't result in the breach of my account. That's the problem.

Edit: so people stop asking, here's their docs on DNA relatives: https://customercare.23andme.com/hc/en-us/articles/212170838

Showing your genetic ancestry results makes select information available to your matches in DNA Relatives

It clearly says select information, which one could reasonably assume is protecting of your privacy. All the reports seem to imply the hackers got access to much more than just the couple fun numbers the UI shows you.

At minimum I hold them responsible for not thinking this feature through enough that it could be used for racial profiling. That's the equivalent of being searchable on Facebook but they didn't think to not make your email, location and phone number available to everyone who searches for you. I want to be discoverable by my friends and family but I'm not intending to make more than my name and picture available.

[–] givesomefucks@lemmy.world 16 points 10 months ago* (last edited 10 months ago) (6 children)

A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem

I mean...

You volunteered to share your info with that person.

And that person reused a email/password that was compromised.

How can 23andme prevent that?

It sucks, but it's the fault of your relative that you entrusted with access to your information.

No different than if you handed them a hardcopy and they left it on the table of McDonald's .

Quick edit:

It sounds like you think your account would be compromised, that's not what happened. Only info you shared with the compromised relative becomes compromised. They don't magically get your password.

But you still choose to make it accessible to that relatives account by accepting their request to share

load more comments (6 replies)
[–] argo_yamato@lemm.ee 11 points 10 months ago

Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe's response is what to expect since companies will never put their customers safety ahead of their profits.

[–] dpkonofa@lemmy.world 11 points 10 months ago

I doesn't. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member's account and their account getting accessed because their banking password was "Password1" or their PIN was "1234".

[–] eager_eagle@lemmy.world 8 points 10 months ago

afaik there was no breach of private data, only the kind of data shared to find relatives, which is opt-in and obviously not private to anyone who has seen how this service works. In other words, the only data "leaked" was the kind of data that was already shared with other 23andMe users.

[–] douglasg14b@lemmy.world 8 points 10 months ago

So if you enabled a setting that is opt-in only that allows sharing data between accounts and you are surprised that data was shared between accounts how is that not your fault?

load more comments (2 replies)
load more comments (13 replies)
[–] shehackedyou@lemmy.world 13 points 10 months ago

Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn't exactly how genetics work is done.

Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn't sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.

Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.

[–] cloud_herder@lemmy.world 12 points 10 months ago

Lmfao what? I can’t wait to watch this play out…

[–] banneryear1868@lemmy.world 11 points 10 months ago (1 children)

I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.

[–] dukk@programming.dev 15 points 10 months ago

Not your fault if you did have a strong password but your data was leaked through the sharing anyways…

[–] stealth_cookies@lemmy.ca 10 points 10 months ago (1 children)

I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.

[–] ThatWeirdGuy1001@lemmy.world 15 points 10 months ago (3 children)

Maybe there should be some type of regulation that prevents that from happening considering the average person doesn't think of shit like that because they don't expect to be fucked over in every conceivable way

load more comments (3 replies)
[–] autotldr@lemmings.world 9 points 10 months ago

This is the best summary I could come up with:


“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.

The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords.

23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.

Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving,” and “a desperate attempt” to protect itself and deter customers from going after the company.


The original article contains 721 words, the summary contains 184 words. Saved 74%. I'm a bot and I'm open source!

[–] Imgonnatrythis@sh.itjust.works 9 points 10 months ago (2 children)

I wonder if they can identify a genetic predisposition that these patients had that made them more prone to compromising their passwords? And then if so, was it REALLY their fault?

load more comments (2 replies)
load more comments
view more: next ›