23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months | Firm says it didn't realize customers were being hacked
Firm says it didn't realize customers were being hacked
23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months | Firm says it didn't realize customers were being hacked::Firm says it didn't realize customers were being hacked
This statement is not true. You can add some qualifiers to make it true, but as it stands, no. A plasmid contains genetic data and doesn’t inherently identity the specific organism it came from.
If this forces 23andMe to shutter, some other tech firm will gobble up that genetic data without the original users having any agency in the decision. Imagine having your genes create value for others and you only get the liability? Oof.
Do we know they delete the data when you do that? A lot of software is designed to "soft delete" data, where you mark the record with a "deleted" flag that excludes it from future queries. This data still lingers in the database and would still be accessible by anyone who can bypass the application logic, such as someone with a direct DB connection and read privileges.
Look, I'm as ready as anyone to jump on companies for mishandling data. I work daily with extremely private medical information protected by an ungodly amount of laws, and it pisses me off how whimsical most companies are with customer data. This one wasn't exactly their fault though. If you use the SAME EMAIL AND PASSWORD across multiple different sites it's not site B's fault when site A gets hacked and your login information is attempted on site B. It's also not even that surprising given people willingly giving up information this private aren't exactly the most privacy literate.
Could they have enforced multi-factor 2FA? Sure, and it would've mitigated some of the damage. However, I think we can all reason that they probably had the same password for their email and phone provider. Hardware keys aren't cheap, and most people just don't have them. It's also pretty reasonable that it would take a super long time to figure out someone logging in with a username and password was "hacked".
Yeh, probably. But in this case they probably had only a few passwords per email, but lots of usernames to try. So per account blocks may not have worked as they had the correct passwords?
Our investigation determined the threat actor downloaded or accessed your uninterrupted raw genotype data, and may have
accessed other sensitive information in your account,
Fascinating. I was under the impression that you couldn't get that without having it sent to your email address. I certainly haven't seen any other ways of getting raw genomics out.
Is this that the threat actor sent it to an email that was potentially compromised or do they have download logs of some form of hidden direct download feature?
They wouldn't need to access 14,000 separate accounts if they had internal access to the database.
The article states they got access to "private data" from 6.9 million other users via a 'DNA relatives' feature but doesn't explain what kind of information that is. For those accounts that got directly accessed, it seems unlikely the hackers requested and intercepted an email for every one without being noticed sooner. Sounds like they only scraped what's available on the site itself but it'd be nice if the article actually detailed that.
It's data, that's all that's needed. That you or I can't think of a reason or use case (well, outside of authoritarian nation state business that is) that makes it valuable just means we aren't likely ghoulish enough.
But you can't change your genetic data, so it's a bundle of "anonymous" data that will forever remain just waiting for the right link to irreparably link it to someone.
Cheap data point now, but who knows how useful or valuable it could be if the cyberpunk Dystopia of Tech Bro Billionaire's wet dreams come to pass?
China... because China is a black hole of information and will steal anything and everything for hegemonic advantage. If that DNA belongs to family or friends of powerful people, that could lead to a future blackmail advantage