23andMe tells victims it's their fault that their data was breached | TechCrunch
23andMe tells victims it's their fault that their data was breached | TechCrunch
Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.
The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers
Turns out, it is.
What should a website do when you present it with correct credentials?
IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.
These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.
What should a website do when you present it with correct credentials?
Not then give you access to half their customers' personal info?
Credential stuffing 1 grandpa who doesn't understand data security shouldn't give me access to names and genetics of 500 other people.
That's a shocking lack of security for some of the most sensitive personal data that exists.
You either didn’t read or just really need this to be the company’s fault.
Those initial breaches lead to more info being leaked because users chose to share data with those breached users before their accounts were compromised.
When you change a setting on a website do you want to have to keep setting it back to what you want or do you want it to stay the first time you set it?
Not then give you access to half their customers’ personal info?
That's a feature of the service that you opt into when you're setting up your account. You're not required to share anything with anyone, but a lot of people choose too. I actually was able to connect with a half-sibling that I knew I had, but didn't know how to contact, via that system.
So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?
Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.
Please excuse the rehash from another of my comments:
How do you people want options on websites to work?
These people opted into information sharing.
When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?
It was credential stuffing. Basically these people were hacked in other services. Those services probably told them "Hey, you need to change your password because our database was hacked" and then they were like "meh, I'll keep using this password and won't update my other services that this password and personally identifiable information about myself and my relatives".
Both are at fault, but the users reusing passwords with no MFA are dumb as fuck.
by brute-forcing accounts with passwords that were known
That's not what "brute force" means.
Agreed.
Blaming your customers is definitely a strategy. It's not a good one, but it is a strategy.
BRB deleting my 23AndMe account
OP spreading disinformation.
Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.
Users cry about the consequences of their bad passwords.
Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves
From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature.
How exactly are these 6.9M users at fault? They opted in to a feature of the platform that had nothing to do with their passwords.
On top of that, the company should have enforced strong passwords and forced 2FA for all accounts. What they're doing is victim blaming.
users knowingly opted into a feature that had a clear privacy risk.
Strong passwords often aren't at issue, password re-use is. If un-{salted, hashed} passwords were compromised in a previous breach, then it doesn’t matter how strong those passwords are.
Every user who was compromised:
A further subset of users failed to use a unique and strong password.
A 2FA token (think Matrix) might have helped here, other than that, individuals need to take a greater responsibility for personal privacy. This isn’t an essential service like water, banking, electricity etc. This is a place to upload your DNA profile…
Are you telling me a password of 23AndMe! Is bad? It meets all the requirements.
Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.
Just as an anecdotal counterpoint, I am a 23andMe customer who did receive notification of my account was accessed and personal information obtained.
This was my password at the time: 7Kk5bXjIdfB25
That password was auto-generated for me by the BitWarden app.
So for what it's worth I don't think my password was a 'bad' password.
Your direct account was accessed or some of your information was access through a compromised account? those are big differences and from what I've read only the latter should have been possible. and in my opinion, not such a big deal.
The lions share IMHO is at 23&me. Offering such a poorly secured service is negligence, in the face of the data's high sensitivity nature.
Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves
Tell me you didn't read the article without telling me.
If 14,000 users who didn't change a password on a single use website they probably only ever logged into twice gives you 6.9 million user's personal info, that's the company's fault.
You didn't read it either. They gained access to shared information between the accounts because both accounts had enabled "share my info with my relatives" option.
Logging into someones Facebook and seeing their friends and all the stuff they posted as "friends only" and their private DM discussions isn't a hack or a vulnerability, it's how the website works.
23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users
I'm honestly asking what the impact to the users is from this breach. Wasn't 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?
That's not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.
I would assume they had some deals with law enforcement to transmit data one narrow circumstances.
I'm honestly asking what the impact to the users is from this breach.
Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.
This is different. This is a breach and if you have a company taking care of such sensitive data, it's your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they've established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.
If they really do blame this on the users
It's not that they said:
It's your fault your data leaked
What they said was (paraphrasing):
A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.
Which, honestly?
Completely valid. The only way to stop this would be for 23andme to monitor these "hack lists" and notify any email that also has an account on their website.
Side note:
Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.
I would guess (hope?) that the data sets they sell are somewhat anonymized, like listing people by an i.d. number instead of the person's name, and not including contact information like home address and telephone number. If so then the datasets sold to companies don't contain the personal information that hackers got in this security breach.
I’m honestly asking what the impact to the users is from this breach.
The stolen info was used to databases of people with jewish ancestry that were sold on the dark web. I think there was a list of similar DB of people with chinese ancestry. 23andme's poor security practices have directly helped violent white supremecists find targets.
If you're so incompetent that you can't stop white supremecists from getting identifiable information about people from minorities, there is a compelling public interest for your company to be shut down.
Reusing credentials is their fault. Sure, 23&me should've done better, but someone was likely to get fucked, and if you're using the same password everywhere it is objectively your fault. Get a password manager, don't make the key the same compromised password, and stop being stupid.
It's at least 99.8% the company's fault.
Even if we blame those 14k password reusers, we're blaming 1 in every 500 victims. Being able to access genetic information and names of 6.9 million people - half your entire customers! - by hacking 0.02% of that is the fault of the company. They structured that access and failed to act on the obvious threat it represents.
But why blame password reusers? Not every grandparent interested in their family tree is capable of even understanding data security, let alone juggling multiple passwords or a PW manager.
Credential stuffing is an inevitable part of security landscape - especially for one time use accounts like genetics sites. A multimillion dollar IT department is just clearly responsible for preventing egregious data security failures.
They didn't get genetic raw data of anyone beyond the 14K, they got family relationship information. Which is an option you can turn on or off, if you want. It's very clear that you're exposing yourself to other people if you choose to see who you're related to. It doesn't expose raw data and it doesn't instantly expose names, just how they're related to you. (And most of the "relations" are 3rd to 5th cousins, aka strangers.)
Hackers used the genetic ancestry data of the 14K hacked users and their "relatives" connections to deduce large families of Ashkenazi Jews.
I would say it's partially their fault. IMHO 23&me is mainly to blame. They should've enforced (proper) 2FA. Sure, people should've known better, but they didn't; they oftenly don't. But 23&me did know better.
Edit: spelling
“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”
This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.
It's terrible design. If they know their users are going to do this, they're supposed to work around that. Not leave it as a vulnerability.
And it's your fault you have access to them. Stop doing bad things and keep your information secure.
you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They're so common that if you don't design your system assuming the occasional user account will be compromised then you're completely ignoring a threat vector, which is on you as a designer. 23andMe didn't force 2 factor auth (https://techcrunch.com/2023/11/07/23andme-ancestry-myheritage-two-factor-by-default/) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.
I don't think so. Those users had opted in to share information within a certain group. They've already accepted the risk of sharing info with someone who might be untrustworthy.
Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn't mean that this sharing of information is broken by design.
If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.
There may be other reasons to criticise 23andMe's security, but this isn't a broken design.
They're right. It the customer's fault for giving them the data in the first place.
But hear me out, I have no control over my cousin or aunt or some random relative getting one of these tests and now this shitty company has a pretty good idea what a large chunk of my DNA looks like. If people from both sides of my family do it they have an even better idea what my genetic profile looks like. That's not my fault, I never consented to it, and it doesn't seem ok.
If your credit card information gets stolen because someone stole it from a website you bought something off of, is that your fault?
I can change my credit card. I can't change my dna. This wasn't even for any medical reasons. 23andme is just a vanity service.
Bad analogy. The only people who had their information exposed are people who reused passwords and people who decided to make their info semi-public. It's more like deciding to tell all your cousins and 2nd cousins your credit card info and one of them leaked it.
This is such a fucking braindead, victim blaming take.
They became a victim the moment they gave their data to that company. Why is anyone that works at 23andme more trust worthy then rando hackers? They aren't obligated to any HIPPA laws.
I SHOULD NOT BE GETTING GASLIT FOR WHAT SEEMED LIKE A NEAT IDEA AT THE TIME
Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don't reuse passwords.
Welp my two gmail address have been pwned. Good thing I don't use them and I have limited use of Google services.
Just to clarify; It doesn't necessarily mean that your Google account password is compromised. It lists data breaches of services where you used the provided email to register. The password you chose for that service at the time of the breach has been compromised. If you don't use the same password everywhere, or changed your password after the breach, your other accounts are not compromised.
Also, as OP said, use two-factor authentication. And please also use a password manager.
It's saying I've been hacked on websites I've legitimately never even heard of, websites I have 100% never interacted with. Is this just a normal consequence of companies sharing all my data with other companies?
I can't speak to how you ended up on the list. The way haveibeenpwned works is that they crawl publicly available credential dumps and grab the associated usernames/emails for each cred pair. However it got there, your email ended up in one of those dumps. Recommend you change your passwords, make sure you don't repeat the same password across multiple sites and use a password manager so you don't have to remember dozens of passwords yourself.
Giving your genetic info to them is the first mistake
I see this trend of websites requesting your identification and all i think is: i don't even trust my own government with a copy why the hell should i trust a business?
Instant skip.
And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.
If you are reusing creds you should expect to be compromised pretty easily.
A successful breach of a family member's account due to their bad security shouldn't result in the breach of my account. That's the problem.
Edit: so people stop asking, here's their docs on DNA relatives: https://customercare.23andme.com/hc/en-us/articles/212170838
Showing your genetic ancestry results makes select information available to your matches in DNA Relatives
It clearly says select information, which one could reasonably assume is protecting of your privacy. All the reports seem to imply the hackers got access to much more than just the couple fun numbers the UI shows you.
At minimum I hold them responsible for not thinking this feature through enough that it could be used for racial profiling. That's the equivalent of being searchable on Facebook but they didn't think to not make your email, location and phone number available to everyone who searches for you. I want to be discoverable by my friends and family but I'm not intending to make more than my name and picture available.
A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem
I mean...
You volunteered to share your info with that person.
And that person reused a email/password that was compromised.
How can 23andme prevent that?
It sucks, but it's the fault of your relative that you entrusted with access to your information.
No different than if you handed them a hardcopy and they left it on the table of McDonald's .
Quick edit:
It sounds like you think your account would be compromised, that's not what happened. Only info you shared with the compromised relative becomes compromised. They don't magically get your password.
But you still choose to make it accessible to that relatives account by accepting their request to share
Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe's response is what to expect since companies will never put their customers safety ahead of their profits.
I doesn't. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member's account and their account getting accessed because their banking password was "Password1" or their PIN was "1234".
So if you enabled a setting that is opt-in only that allows sharing data between accounts and you are surprised that data was shared between accounts how is that not your fault?
afaik there was no breach of private data, only the kind of data shared to find relatives, which is opt-in and obviously not private to anyone who has seen how this service works. In other words, the only data "leaked" was the kind of data that was already shared with other 23andMe users.
You shouldn’t have shared your information with someone who is untrustworthy then. Data sharing is opt-in.
How do you and the surprising number of people who upvoted you want options on websites to work?
These people opted into information sharing.
When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?
Wtf?
Even if you didn’t reuse a compromised password yourself, the fact that your relatives did indicates that you’re genetically predisposed to bad security practices. /s
A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem.
How the hell would they prevent that if you voluntarily shared a bunch of information with the breach account? This is like being mad that your buddy's Facebook account got breached and someone downloaded shared posts from your profile, too. It's how the fucking service works.
Is it also the User's fault for the 6,898,600 people that didn't reuse a password and were still breached?
I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.
Not your fault if you did have a strong password but your data was leaked through the sharing anyways…
Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn't exactly how genetics work is done.
Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn't sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.
Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.
Lmfao what? I can’t wait to watch this play out…
I wonder if they can identify a genetic predisposition that these patients had that made them more prone to compromising their passwords? And then if so, was it REALLY their fault?
Should probably ask OP!
They seems to be in the same boat based on this submission...
It's proper etiquette to use the wording from the title when posting an article. OP did everything right.
I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.
Maybe there should be some type of regulation that prevents that from happening considering the average person doesn't think of shit like that because they don't expect to be fucked over in every conceivable way
This is the best summary I could come up with:
“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.
In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.
The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.
“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords.
23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.
Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving,” and “a desperate attempt” to protect itself and deter customers from going after the company.
The original article contains 721 words, the summary contains 184 words. Saved 74%. I'm a bot and I'm open source!
That headline sounds to me like them claiming "Y'all're a bunch of eejits for usin' our service!"
To which I'd say "Yeah sure, I'm certain that would hold up in court" with the biggest eye roll you could imagine
23andMe
I never met a Geneticist who couldn't immediately recognize this company as a scam. The product wasn't the papers they send you after doing random marker tests once (so, false positives exist, and they never cared). The product is the DNA they collected by convincing people that their test was even remotely useful or insightful.
Its entirely based on correlation; and correlation to what? Geographic area? That makes no sense if you know one of any number of fields and many don't even have to be scientific in nature, or genetics.
I have always hated them, always told people to never use them and get themselves a proper 50x full genome sequencing since it costed the same; and actually provides real, resolute and reliable data. Not just like borderline pseudoscience. Might as well sent in the shape of your skull.
From the article:
The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.
From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.
I knew better than to give thee companies my DNA but of course I've had family give it to them. I suppose if I was wanted for an unsolved murder I'd be a bit concerned, but I'm still not happy that anyone's DNA is compromised that I'm associated with.
The question to me is what's the play with that data. I'd assume they would have a use for it if they went to the trouble of stealing it. I suspect in the future this will be lucrative data, but what's the play right now??
For the grand majority of folks, Name, relationship label, self-reported location (city or zip), and birth year.
The ones with DNA compromises would be the ones whose accounts were directly accessed.
Company involved in a data breach try not to blame customers challenge (impossible)
This video comes to mind. https://youtu.be/ESzxGYDkwG8?feature=shared
Here is an alternative Piped link(s):
https://piped.video/ESzxGYDkwG8?feature=shared
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source; check me out at GitHub.
In a way, it kind of is their fault for trusting companies like this in the first place. I'd never consider using companies like this and both think and hope none of my family members would either.
Obviously, the breach is the company being incompetent like many companies are when it comes to security.
Unfortunately like you said, family members can do so of their own accord which is exactly what one of mine did, despite my warnings of such.
It's completely impossible for me to "un-ring" that bell now, so to speak.
Why anyone would ever trust somebody else with their DNA data is beyond me.
Why anyone would care is beyond me. Explain what someone's realistically going to do with your DNA data.
This is always the most short-sighted kind of comment on the internet, I don't assume you're ignorant, I assume you're selfish - Do you not see a responsibility to future generations in any of your actions or are you just here to "get yours" and check out?
While there are real and immediate dangers today, our responsibility in this moment is to be a firm NO so that these things don't find their extremes in our lifetime or beyond. You're the frog in the pot of cold water, but the burner is turned on beneath you.
"What the fuck are you guys talking about man? being all hysterical and shit? The water is comfortable right now, even a bit cold"
The biggest worry is that the data might be right and might be used by an insurance provider to deny a person's cover
Though that's not a realistic problem. The various DNA ancestry companies' privacy policies prevent them sharing with insurance companies.
Sell to insurance companies. Genetic predisposition towards certain illnesses? That's a premium.
And the insidious thing is, it's not even just you. Any relative that does a test, boom, they know.
Explain what someone’s realistically going to do with your DNA data.
You are obviously oblivious to how mass-surveillance works, and how much it can destroy our freedoms. Services like 23AndMe keep a database over all the DNA they have received. This database is often shared with governments, and can be used to create relationship maps - who is what to whom. This information can be and is being weaponized against us on a daily basis.
If I am an insurance company, and I have data that says you are carrying a gene that is correlated with colon cancer, I can either raise the fuck out of your rates because youre a risky client who might cost me a lot of money in colon cancer treatments, or when you do get colon cancer I could refuse to cover it because I have a contract clause you didnt read that says if youre genetically correlated thats functionally a pre-existing condition and thus isnt a part of your coverage.
If I am a med company, and I know what your genes correlate with known treatable genetic diseases that become fatal or more serious to people like you with those genes, I can raise the price of your medication. You have to pay, because you will die if you dont, so I can ask for any price.
If I am a texas politician, who is already threatening hospitals across the nation illegally for your private medical data, I am salivating trying to get your dna. Correlate any gene, or suite of genes, with a population of people you do not like, and you can target them through this. "Prove" a genetic superiority to defend and promote eugenic ideals, while targeting your racial scapegoat at a genetic level. Look like one race? Well your blood says youre not pure, so youre next too.
These are only the obvious problems.
They do now. But before this they would prompt users to activate it, but it was the users choice not to.
This is, largely, the norm for nearly every online service.
Well, they have a point.
I'm just of the general opinion that any personal data you entrust to any corporation is going to be at risk - regardless of it's assurances. There's also a risk of that corporation being legitimately acquired by another thus nullifying previous TOS, etc. Or worse case, they sell all your info anyway. Connected technology is moving quickly. What might seem safe to share today could become the basis of an insurance claim denial when they discover a genetic predisposition they believe you were obligated to disclose.
This is at least partly true. If you reuse the same information, you should expect to get pwned
It is, it's their fault for sending their data to some company that wants your DNA. I'm curious too, but i'm not that dumb.
It's actually the user's fault. The emails and passwords came from a different breach, and some of those also worked on 23andMe. This is why you don't reuse passwords.
It’s actually the user’s fault. The emails and passwords came from a different breach
No, 23andme is very clearly at fault.
Only 0.02% of those who had their personal info leaked were hacked by a credential stuffing attack.
99.8% of victims were victims because the company launched an obviously unsafe feature that allowed intruders to acces 500 other people's details for each compromised account.
No one changes the password on sites they don't use anymore and this is basically a single use service.
That is not at all what they said.
If you are dumb enough to send your DNA to a company that keeps it in a database forever, and often shares it with governments to make relationship maps and population control, you deserve everything.
Wow, am I glad nobody in my family has used this whack service!
Who's up for an old skool loic session against this bunch of clowns lol 🤣 🤣 🤣
Congratulations this is the cringiest thing I've read today.
What does Jewish have to do with it?
Don't give your DNA to any company
I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:
I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.
I think most internet users are straight up smooth brained, i have to pull my wife's hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she's just lucky she didn't have the cc attached to it.
And she makes 3 times as much as I do, there is no helping people.
These people remind me of my old roommate who "just wanted to live in a neighborhood where you don't have to lock your doors."
We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.
I literally told him you can't fucking will that want into reality, man.
You can't just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.
I eventually moved the fuck out because I can't deal with that kind of hippie dippie bullshit. Life isn't fucking The Secret.
Lately I try to get people to use Chrome's built-it password manager. It's simple and it works across platforms.
people
I agree, by all accounts 23andMe didn't do anything wrong, however could they have done more?
For example the 14,000 compromised accounts.
In hindsight some of these questions might be easier to answer. It's possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It's also possible they did everything right.
A full investigation makes sense.
I already said they could have done more. They could have forced MFA.
All the other bullet points were already addressed: they used a botnet that, combined with the "last login location" allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.
A full investigation makes sense but the OP is about 23andMe's statement that the crux is users reusing passwords and not enabling MFA and they're right about that. They could have done more but, even then, there's no guarantee that someone with the right username/password combo could be detected.
Those are my questions, too. It boggles my mind that so many accounts didn’t seem to raise a red flag. Did 23&Me have any sort of suspicious behavior detection?
And how did those breached accounts access that much data without it being observed as an obvious pattern?
Common thing, a lot of people despise MFA. I somewhat recently talked with 1 person who works in IT (programmer) that has not set up MFA for their personal mail account.
Credential stuffing is an attack which is well known and that organizations like 23andme definitely should have in their threat model. There are mitigations, such as preventing compromised credentials to be used at registration, protecting from bots (as imperfect as it is), enforcing MFA etc.
This is their breach indeed.
They did. They had MFA available and these users chose not to enable it. Every 23andMe account is prompted to set up MFA when they start. If people chose not to enable it and then someone gets access to their username and password, that is not 23andMe's fault.
Also, how do you go about "preventing compromised credentials" if you don't know that the credentials are compromised ahead of time? The dataset in question was never publicly shared. It was being sold privately.
Is there a standards body web developers should rely on, which suggests requiring MFA for every account? OWASP, for example, only recommends requiring it for administrative users, but for giving regular users the option without requiring it.
There’s some positives to requiring MFA for all users, but like any decision there’s trade offs. How can we throw 23andme under the bus when they were compliant with industry best practices?
I agree. The people blaming the website are ridiculous here.
It’s just odd that people get such big hate boners from ignorance. Everything I’m reading about this is telling me that 23andMe should have enabled forced MFA before this happened rather than after, which I agree with, but that doesn’t mean this result is entirely their fault either. People need to take some personal responsibility sometimes with their own personal info.
Laziness alone is a pretty big reason. MFA was available and users were prompted to set it up. The fact that they didn’t should tell you something.
Step 4 is where 23andme got hacked
By your logic I hack into every site I use by … checks notes presenting the correct username and password.
Would bet that you’re a crypto fan.
How much we talking? I’ll take that bet.
Would bet your password includes "password" or something anyone could guess in 10 minutes after viewing your Facebook profile.
Edit: Your l33t hacker name is your mother's maiden name and the last four of your social, bro. Mines hunter1337, what's yours?
Why?