this post was submitted on 03 Jan 2024
827 points (94.1% liked)

Technology

57435 readers
4091 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
827
23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)
submitted 7 months ago by [email protected] to c/[email protected]
279 comments fedilink hide all child comments
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 218 points 7 months ago (31 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

  1. 23andMe was not hacked or breached.
  2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
  3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
  4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
  5. All compromised accounts did not have MFA enabled.
  6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
  7. No data that wasn't opted into was shared.
  8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

[–] [email protected] 71 points 7 months ago (7 children)

I think most internet users are straight up smooth brained, i have to pull my wife's hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she's just lucky she didn't have the cc attached to it.

And she makes 3 times as much as I do, there is no helping people.

[–] [email protected] 39 points 7 months ago* (last edited 7 months ago) (3 children)

These people remind me of my old roommate who "just wanted to live in a neighborhood where you don't have to lock your doors."

We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.

I literally told him you can't fucking will that want into reality, man.

You can't just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.

I eventually moved the fuck out because I can't deal with that kind of hippie dippie bullshit. Life isn't fucking The Secret.

[–] [email protected] 25 points 7 months ago (4 children)

I have friends that occasionally bitch about the way things are but refuse to engage with whatever systems are set up to help solve whatever given problem they have. "it shouldn't be like that! It should work like X"

Well, it doesn't. We can try to change things for the better but refusal to engage with the current system isn't an excuse for why your life is shit.

load more comments (4 replies)
load more comments (2 replies)
load more comments (6 replies)
[–] [email protected] 15 points 7 months ago (5 children)

I agree, by all accounts 23andMe didn't do anything wrong, however could they have done more?

For example the 14,000 compromised accounts.

  • Did they all login from the same location?
  • Did they all login around the same time?
  • Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?
  • Did these accounts, after logging in, perform actions that seemed automated?
  • Did these accounts access more data than the average user?

In hindsight some of these questions might be easier to answer. It's possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It's also possible they did everything right.

A full investigation makes sense.

[–] [email protected] 27 points 7 months ago (2 children)

I already said they could have done more. They could have forced MFA.

All the other bullet points were already addressed: they used a botnet that, combined with the "last login location" allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.

A full investigation makes sense but the OP is about 23andMe's statement that the crux is users reusing passwords and not enabling MFA and they're right about that. They could have done more but, even then, there's no guarantee that someone with the right username/password combo could be detected.

load more comments (2 replies)
load more comments (4 replies)
load more comments (29 replies)
[–] [email protected] 78 points 7 months ago (6 children)

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

[–] [email protected] 40 points 7 months ago (2 children)
  1. IP based rate limiting
  2. IP locked login tokens
  3. Email 2FA on login with new IP
[–] [email protected] 21 points 7 months ago* (last edited 7 months ago)

IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.

These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.

[–] [email protected] 13 points 7 months ago (3 children)

  1. The attackers used IPs situated in their victims regions to log in, across months, bypassing rate limiting or region locks / warnings

  2. I don't know if they did but it would seem trivial to just use the tokens in-situ once they managed to login instead of saving and reusing said tokens. Also those tokens are the end user client tokens, IP locking them would make people with dynamic IPs or logged in 5G throw a fuss after the 5th login in half an hour of subway

  3. Yeah 2FA should be a default everywhere but people just throw a fuss at the slightest inconvenience. We very much need 2FA to become the norm so it's not seen as such

load more comments (3 replies)
[–] [email protected] 37 points 7 months ago* (last edited 7 months ago) (6 children)

What should a website do when you present it with correct credentials?

Not then give you access to half their customers' personal info?

Credential stuffing 1 grandpa who doesn't understand data security shouldn't give me access to names and genetics of 500 other people.

That's a shocking lack of security for some of the most sensitive personal data that exists.

load more comments (6 replies)
[–] [email protected] 35 points 7 months ago (1 children)

What should it do? It should ask you to confirm the login with a configured 2FA

[–] [email protected] 22 points 7 months ago (3 children)

Yeah they offered that. I don’t think anyone with it turned on was compromised.

[–] [email protected] 22 points 7 months ago* (last edited 7 months ago) (4 children)

This shouldn't be "offered" IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I've studied in this field, trust me, I know). But the answer isn't to put the responsibility on the user! It is to design products and services which are secure by design.

If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.

[Edit: spelling]

[–] [email protected] 28 points 7 months ago (11 children)

I've noticed that many users in this thread are just angry that the average person doesn't take cybersecurity seriously. Blaming the user for using a weak password. I really don't understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don't really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.

load more comments (11 replies)
load more comments (3 replies)
load more comments (2 replies)
[–] [email protected] 29 points 7 months ago (2 children)

So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?

Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.

[–] [email protected] 14 points 7 months ago (2 children)

Please excuse the rehash from another of my comments:

How do you people want options on websites to work?

These people opted into information sharing.

When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

load more comments (2 replies)
load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 53 points 7 months ago (1 children)

Blaming your customers is definitely a strategy. It's not a good one, but it is a strategy.

BRB deleting my 23AndMe account

[–] [email protected] 13 points 7 months ago (4 children)

As if deleting your account deletes your data.

load more comments (4 replies)
[–] [email protected] 43 points 7 months ago (15 children)

OP spreading disinformation.

Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.

Users cry about the consequences of their bad passwords.

Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves

[–] [email protected] 19 points 7 months ago (3 children)

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature.

How exactly are these 6.9M users at fault? They opted in to a feature of the platform that had nothing to do with their passwords.

On top of that, the company should have enforced strong passwords and forced 2FA for all accounts. What they're doing is victim blaming.

load more comments (3 replies)
[–] [email protected] 18 points 7 months ago* (last edited 7 months ago)

Are you telling me a password of 23AndMe! Is bad? It meets all the requirements.

load more comments (13 replies)
[–] [email protected] 36 points 7 months ago (2 children)

Reusing credentials is their fault. Sure, 23&me should've done better, but someone was likely to get fucked, and if you're using the same password everywhere it is objectively your fault. Get a password manager, don't make the key the same compromised password, and stop being stupid.

[–] [email protected] 26 points 7 months ago* (last edited 7 months ago) (1 children)

It's at least 99.8% the company's fault.

Even if we blame those 14k password reusers, we're blaming 1 in every 500 victims. Being able to access genetic information and names of 6.9 million people - half your entire customers! - by hacking 0.02% of that is the fault of the company. They structured that access and failed to act on the obvious threat it represents.

But why blame password reusers? Not every grandparent interested in their family tree is capable of even understanding data security, let alone juggling multiple passwords or a PW manager.

Credential stuffing is an inevitable part of security landscape - especially for one time use accounts like genetics sites. A multimillion dollar IT department is just clearly responsible for preventing egregious data security failures.

[–] [email protected] 18 points 7 months ago (2 children)

They didn't get genetic raw data of anyone beyond the 14K, they got family relationship information. Which is an option you can turn on or off, if you want. It's very clear that you're exposing yourself to other people if you choose to see who you're related to. It doesn't expose raw data and it doesn't instantly expose names, just how they're related to you. (And most of the "relations" are 3rd to 5th cousins, aka strangers.)

Hackers used the genetic ancestry data of the 14K hacked users and their "relatives" connections to deduce large families of Ashkenazi Jews.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 36 points 7 months ago (12 children)

23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users

I'm honestly asking what the impact to the users is from this breach. Wasn't 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?

[–] [email protected] 32 points 7 months ago* (last edited 7 months ago) (1 children)

That's not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.

I would assume they had some deals with law enforcement to transmit data one narrow circumstances.

I'm honestly asking what the impact to the users is from this breach.

Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.

This is different. This is a breach and if you have a company taking care of such sensitive data, it's your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they've established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.

[–] [email protected] 18 points 7 months ago (7 children)

If they really do blame this on the users

It's not that they said:

It's your fault your data leaked

What they said was (paraphrasing):

A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.

Which, honestly?

Completely valid. The only way to stop this would be for 23andme to monitor these "hack lists" and notify any email that also has an account on their website.

Side note:

Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.

load more comments (7 replies)
load more comments (11 replies)
[–] [email protected] 33 points 7 months ago (7 children)

“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

load more comments (7 replies)
[–] [email protected] 32 points 7 months ago (4 children)

Bro just don't have DNA.

load more comments (4 replies)
[–] [email protected] 22 points 7 months ago (13 children)

They're right. It the customer's fault for giving them the data in the first place.

[–] [email protected] 23 points 7 months ago (3 children)

But hear me out, I have no control over my cousin or aunt or some random relative getting one of these tests and now this shitty company has a pretty good idea what a large chunk of my DNA looks like. If people from both sides of my family do it they have an even better idea what my genetic profile looks like. That's not my fault, I never consented to it, and it doesn't seem ok.

load more comments (3 replies)
load more comments (12 replies)
[–] [email protected] 22 points 7 months ago (5 children)

https://haveibeenpwned.com/

Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don't reuse passwords.

load more comments (5 replies)
[–] [email protected] 20 points 7 months ago (1 children)

Giving your genetic info to them is the first mistake

load more comments (1 replies)
[–] [email protected] 19 points 7 months ago (15 children)

And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.

If you are reusing creds you should expect to be compromised pretty easily.

[–] [email protected] 31 points 7 months ago (12 children)

A successful breach of a family member's account due to their bad security shouldn't result in the breach of my account. That's the problem.

[–] [email protected] 17 points 7 months ago* (last edited 7 months ago) (9 children)

A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem

I mean...

You volunteered to share your info with that person.

And that person reused a email/password that was compromised.

How can 23andme prevent that?

It sucks, but it's the fault of your relative that you entrusted with access to your information.

No different than if you handed them a hardcopy and they left it on the table of McDonald's .

Quick edit:

It sounds like you think your account would be compromised, that's not what happened. Only info you shared with the compromised relative becomes compromised. They don't magically get your password.

But you still choose to make it accessible to that relatives account by accepting their request to share

load more comments (9 replies)
[–] [email protected] 13 points 7 months ago

Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe's response is what to expect since companies will never put their customers safety ahead of their profits.

[–] [email protected] 13 points 7 months ago

I doesn't. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member's account and their account getting accessed because their banking password was "Password1" or their PIN was "1234".

load more comments (9 replies)
load more comments (14 replies)
[–] [email protected] 14 points 7 months ago

Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn't exactly how genetics work is done.

Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn't sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.

Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.

[–] [email protected] 14 points 7 months ago (1 children)

I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.

[–] [email protected] 15 points 7 months ago

Not your fault if you did have a strong password but your data was leaked through the sharing anyways…

load more comments
view more: next ›