this post was submitted on 03 Jan 2024
777 points (94.0% liked)

Technology

58070 readers
2799 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
777
23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)
submitted 8 months ago by Eezyville@sh.itjust.works to c/technology@lemmy.world
246 comments fedilink hide all child comments
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

top 50 comments
sorted by: hot top controversial new old
[–] dpkonofa@lemmy.world 209 points 8 months ago (30 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

  1. 23andMe was not hacked or breached.
  2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
  3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
  4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
  5. All compromised accounts did not have MFA enabled.
  6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
  7. No data that wasn't opted into was shared.
  8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

[–] MimicJar@lemmy.world 12 points 8 months ago (5 children)

I agree, by all accounts 23andMe didn't do anything wrong, however could they have done more?

For example the 14,000 compromised accounts.

  • Did they all login from the same location?
  • Did they all login around the same time?
  • Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?
  • Did these accounts, after logging in, perform actions that seemed automated?
  • Did these accounts access more data than the average user?

In hindsight some of these questions might be easier to answer. It's possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It's also possible they did everything right.

A full investigation makes sense.

[–] dpkonofa@lemmy.world 24 points 8 months ago (1 children)

I already said they could have done more. They could have forced MFA.

All the other bullet points were already addressed: they used a botnet that, combined with the "last login location" allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.

A full investigation makes sense but the OP is about 23andMe's statement that the crux is users reusing passwords and not enabling MFA and they're right about that. They could have done more but, even then, there's no guarantee that someone with the right username/password combo could be detected.

load more comments (1 replies)
load more comments (4 replies)
load more comments (29 replies)
[–] capital@lemmy.world 74 points 8 months ago (6 children)

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

[–] Hegar@kbin.social 35 points 8 months ago* (last edited 8 months ago) (6 children)

What should a website do when you present it with correct credentials?

Not then give you access to half their customers' personal info?

Credential stuffing 1 grandpa who doesn't understand data security shouldn't give me access to names and genetics of 500 other people.

That's a shocking lack of security for some of the most sensitive personal data that exists.

load more comments (6 replies)
[–] ADTJ@feddit.uk 33 points 8 months ago (1 children)

What should it do? It should ask you to confirm the login with a configured 2FA

[–] capital@lemmy.world 17 points 8 months ago (3 children)

Yeah they offered that. I don’t think anyone with it turned on was compromised.

[–] rainerloeten@lemmy.world 20 points 8 months ago* (last edited 8 months ago) (2 children)

This shouldn't be "offered" IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I've studied in this field, trust me, I know). But the answer isn't to put the responsibility on the user! It is to design products and services which are secure by design.

If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.

[Edit: spelling]

[–] Eezyville@sh.itjust.works 26 points 8 months ago (11 children)

I've noticed that many users in this thread are just angry that the average person doesn't take cybersecurity seriously. Blaming the user for using a weak password. I really don't understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don't really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.

load more comments (11 replies)
load more comments (1 replies)
load more comments (2 replies)
[–] Thann@lemmy.ml 32 points 8 months ago (2 children)
  1. IP based rate limiting
  2. IP locked login tokens
  3. Email 2FA on login with new IP
[–] Umbraveil@lemmy.world 19 points 8 months ago* (last edited 8 months ago)

IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.

These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.

[–] CommanderCloon@lemmy.ml 10 points 8 months ago (3 children)

  1. The attackers used IPs situated in their victims regions to log in, across months, bypassing rate limiting or region locks / warnings

  2. I don't know if they did but it would seem trivial to just use the tokens in-situ once they managed to login instead of saving and reusing said tokens. Also those tokens are the end user client tokens, IP locking them would make people with dynamic IPs or logged in 5G throw a fuss after the 5th login in half an hour of subway

  3. Yeah 2FA should be a default everywhere but people just throw a fuss at the slightest inconvenience. We very much need 2FA to become the norm so it's not seen as such

load more comments (3 replies)
[–] KairuByte@lemmy.dbzer0.com 24 points 8 months ago (2 children)

So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?

Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.

[–] capital@lemmy.world 12 points 8 months ago (2 children)

Please excuse the rehash from another of my comments:

How do you people want options on websites to work?

These people opted into information sharing.

When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

load more comments (2 replies)
[–] platypus_plumba@lemmy.world 10 points 8 months ago* (last edited 8 months ago)

It was credential stuffing. Basically these people were hacked in other services. Those services probably told them "Hey, you need to change your password because our database was hacked" and then they were like "meh, I'll keep using this password and won't update my other services that this password and personally identifiable information about myself and my relatives".

Both are at fault, but the users reusing passwords with no MFA are dumb as fuck.

load more comments (2 replies)
[–] KingThrillgore@lemmy.ml 46 points 8 months ago (1 children)

Blaming your customers is definitely a strategy. It's not a good one, but it is a strategy.

BRB deleting my 23AndMe account

[–] Rodeo@lemmy.ca 10 points 8 months ago (4 children)

As if deleting your account deletes your data.

load more comments (4 replies)
[–] douglasg14b@lemmy.world 42 points 8 months ago (14 children)

OP spreading disinformation.

Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.

Users cry about the consequences of their bad passwords.

Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves

[–] mp04610@lemm.ee 19 points 8 months ago (2 children)

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature.

How exactly are these 6.9M users at fault? They opted in to a feature of the platform that had nothing to do with their passwords.

On top of that, the company should have enforced strong passwords and forced 2FA for all accounts. What they're doing is victim blaming.

load more comments (2 replies)
[–] AdamEatsAss@lemmy.world 17 points 8 months ago* (last edited 8 months ago)

Are you telling me a password of 23AndMe! Is bad? It meets all the requirements.

load more comments (12 replies)
[–] elscallr@lemmy.world 36 points 8 months ago (2 children)

Reusing credentials is their fault. Sure, 23&me should've done better, but someone was likely to get fucked, and if you're using the same password everywhere it is objectively your fault. Get a password manager, don't make the key the same compromised password, and stop being stupid.

[–] Hegar@kbin.social 23 points 8 months ago* (last edited 8 months ago) (1 children)

It's at least 99.8% the company's fault.

Even if we blame those 14k password reusers, we're blaming 1 in every 500 victims. Being able to access genetic information and names of 6.9 million people - half your entire customers! - by hacking 0.02% of that is the fault of the company. They structured that access and failed to act on the obvious threat it represents.

But why blame password reusers? Not every grandparent interested in their family tree is capable of even understanding data security, let alone juggling multiple passwords or a PW manager.

Credential stuffing is an inevitable part of security landscape - especially for one time use accounts like genetics sites. A multimillion dollar IT department is just clearly responsible for preventing egregious data security failures.

[–] Chetzemoka@startrek.website 19 points 8 months ago (2 children)

They didn't get genetic raw data of anyone beyond the 14K, they got family relationship information. Which is an option you can turn on or off, if you want. It's very clear that you're exposing yourself to other people if you choose to see who you're related to. It doesn't expose raw data and it doesn't instantly expose names, just how they're related to you. (And most of the "relations" are 3rd to 5th cousins, aka strangers.)

Hackers used the genetic ancestry data of the 14K hacked users and their "relatives" connections to deduce large families of Ashkenazi Jews.

load more comments (2 replies)
load more comments (1 replies)
[–] EndOfLine@lemmy.world 35 points 8 months ago (12 children)

23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users

I'm honestly asking what the impact to the users is from this breach. Wasn't 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?

[–] hoshikarakitaridia@sh.itjust.works 29 points 8 months ago* (last edited 8 months ago) (1 children)

That's not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.

I would assume they had some deals with law enforcement to transmit data one narrow circumstances.

I'm honestly asking what the impact to the users is from this breach.

Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.

This is different. This is a breach and if you have a company taking care of such sensitive data, it's your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they've established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.

[–] givesomefucks@lemmy.world 18 points 8 months ago (7 children)

If they really do blame this on the users

It's not that they said:

It's your fault your data leaked

What they said was (paraphrasing):

A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.

Which, honestly?

Completely valid. The only way to stop this would be for 23andme to monitor these "hack lists" and notify any email that also has an account on their website.

Side note:

Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.

load more comments (7 replies)
load more comments (11 replies)
[–] Dasnap@lemmy.world 31 points 8 months ago (4 children)

Bro just don't have DNA.

load more comments (4 replies)
[–] reverendsteveii@lemm.ee 27 points 8 months ago (7 children)

“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

load more comments (7 replies)
[–] reverendsteveii@lemm.ee 21 points 8 months ago (5 children)

https://haveibeenpwned.com/

Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don't reuse passwords.

load more comments (5 replies)
[–] SocialMediaRefugee@lemmy.world 20 points 8 months ago (1 children)

Giving your genetic info to them is the first mistake

[–] CrowAirbrush@lemmy.world 11 points 8 months ago

I see this trend of websites requesting your identification and all i think is: i don't even trust my own government with a copy why the hell should i trust a business?

Instant skip.

[–] TheEighthDoctor@lemmy.world 15 points 8 months ago (12 children)

And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.

If you are reusing creds you should expect to be compromised pretty easily.

[–] Max_P@lemmy.max-p.me 31 points 8 months ago* (last edited 8 months ago) (11 children)

A successful breach of a family member's account due to their bad security shouldn't result in the breach of my account. That's the problem.

Edit: so people stop asking, here's their docs on DNA relatives: https://customercare.23andme.com/hc/en-us/articles/212170838

Showing your genetic ancestry results makes select information available to your matches in DNA Relatives

It clearly says select information, which one could reasonably assume is protecting of your privacy. All the reports seem to imply the hackers got access to much more than just the couple fun numbers the UI shows you.

At minimum I hold them responsible for not thinking this feature through enough that it could be used for racial profiling. That's the equivalent of being searchable on Facebook but they didn't think to not make your email, location and phone number available to everyone who searches for you. I want to be discoverable by my friends and family but I'm not intending to make more than my name and picture available.

[–] givesomefucks@lemmy.world 15 points 8 months ago* (last edited 8 months ago) (6 children)

A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem

I mean...

You volunteered to share your info with that person.

And that person reused a email/password that was compromised.

How can 23andme prevent that?

It sucks, but it's the fault of your relative that you entrusted with access to your information.

No different than if you handed them a hardcopy and they left it on the table of McDonald's .

Quick edit:

It sounds like you think your account would be compromised, that's not what happened. Only info you shared with the compromised relative becomes compromised. They don't magically get your password.

But you still choose to make it accessible to that relatives account by accepting their request to share

load more comments (6 replies)
[–] argo_yamato@lemm.ee 13 points 8 months ago

Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe's response is what to expect since companies will never put their customers safety ahead of their profits.

[–] dpkonofa@lemmy.world 12 points 8 months ago

I doesn't. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member's account and their account getting accessed because their banking password was "Password1" or their PIN was "1234".

load more comments (8 replies)
load more comments (11 replies)
[–] shehackedyou@lemmy.world 14 points 8 months ago

Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn't exactly how genetics work is done.

Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn't sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.

Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.

[–] Duamerthrax@lemmy.world 14 points 8 months ago (8 children)

They're right. It the customer's fault for giving them the data in the first place.

[–] lagomorphlecture@lemm.ee 19 points 8 months ago (3 children)

But hear me out, I have no control over my cousin or aunt or some random relative getting one of these tests and now this shitty company has a pretty good idea what a large chunk of my DNA looks like. If people from both sides of my family do it they have an even better idea what my genetic profile looks like. That's not my fault, I never consented to it, and it doesn't seem ok.

load more comments (3 replies)
load more comments (7 replies)
[–] cloud_herder@lemmy.world 12 points 8 months ago

Lmfao what? I can’t wait to watch this play out…

[–] stealth_cookies@lemmy.ca 12 points 8 months ago (1 children)

I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.

[–] ThatWeirdGuy1001@lemmy.world 15 points 8 months ago (3 children)

Maybe there should be some type of regulation that prevents that from happening considering the average person doesn't think of shit like that because they don't expect to be fucked over in every conceivable way

load more comments (3 replies)
[–] banneryear1868@lemmy.world 12 points 8 months ago (1 children)

I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.

[–] dukk@programming.dev 15 points 8 months ago

Not your fault if you did have a strong password but your data was leaked through the sharing anyways…

[–] Imgonnatrythis@sh.itjust.works 12 points 8 months ago (2 children)

I wonder if they can identify a genetic predisposition that these patients had that made them more prone to compromising their passwords? And then if so, was it REALLY their fault?

load more comments (2 replies)
load more comments
view more: next ›