23andMe Data Breach is worst than previously stated

[Kevo05s]

Summary

 The bad news keeps on coming as they are revealing how broad the data the hackers got from the attack, and it seems to keep on getting bigger as it is speculated that 23andMe isn't fully honest on what happened.

 

Quotes

Quote

On Monday, 23andMe confirmed to TechCrunch that the attackers collected the personal data of about 5.5 million people who had opted in to DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." 23andMe subsequently shared this expanded information with WIRED as well.

 

My thoughts

While Linus was right about the consequences this leak could have, we weren't (and probably still aren't) aware of how big and how many people have been affected by this attack. I personally feel more stressed about it since I don't know if anyone related to me did such a test and had me included in the data breach. Also, I'm not even sure that 23andMe is even aware of how many people are affected, and they also don't seem to care about it whatsoever.

 

Sources

 link to post here (Wired)

[Agall]

Also, how many of us only did these DNA tests because we were compelled to by getting it as a gift from family, who are also terrible at using unique passwords.

[TetraSky]

Man... I really wanted to get one of these things some day to know what I was allergic to. But they can't even properly store data.

[Skipple]

I'm somewhat surprised, given the type and gravity of the data they collect, they aren't regulated like any other medical industry. 

[jaslion]

27 minutes ago, TetraSky said:

Man... I really wanted to get one of these things some day to know what I was allergic to. But they can't even properly store data.

You can just do a allergy investigative procedure in basically any hospital. Going to be way more accurate than just this.

[Taf the Ghost]

16 minutes ago, Skipple said:

I'm somewhat surprised, given the type and gravity of the data they collect, they aren't regulated like any other medical industry. 

Good question, though I can see reasons it wouldn't be covered. It's not a test for medical reasons but information gathering purposes.

 

Still, I've never seen a company operating as a function of dystopian movie plot is a good idea.  And given the massive amount of marketing money spent always raised a bit too many red flags. It's not as bad as the Fake Meat industry, but the non-anonymized data like this a pretty terrible thing.  Oh look, it'll now be completely out in the wild.

[Agall]

1 hour ago, Taf the Ghost said:

Good question, though I can see reasons it wouldn't be covered. It's not a test for medical reasons but information gathering purposes.

 

Still, I've never seen a company operating as a function of dystopian movie plot is a good idea.  And given the massive amount of marketing money spent always raised a bit too many red flags. It's not as bad as the Fake Meat industry, but the non-anonymized data like this a pretty terrible thing.  Oh look, it'll now be completely out in the wild.

My method of testing for allergies:

 

[Kisai]

11 hours ago, Skipple said:

I'm somewhat surprised, given the type and gravity of the data they collect, they aren't regulated like any other medical industry. 

They aren't permitted to. When you do these these tests you basically say "I'm giving permission for 23andme to do anything they damn well please"

 

Myself and my family and two now deceased relatives are in it. Am I really worried? No. 

 

The matter-of-fact of the matter is that this information might be valuable to data brokers and law enforcement trying to find a connection between person A and person B. But that will depend on how much information you actually gave 23andMe, and most of the information I gave to 23andMe was the same information I gave to Ancestry.com at some point, but ancestry's DNA test was far, far less informative.

 

All the family connection stuff is in ancestry, not 23andMe. So unless you wanted to know the names of my siblings or parents, that's about all you really learn from the data leak. That might be useful to scammers to socially engineer less tech-savvy people, but there's not going to be a collection of phone numbers and addresses in there unless you had 23andMe actually ship a DNA kit to someone.

 

[leadeater]

23 hours ago, Agall said:

My method of testing for allergies:

 

I wonder how many cooks of the middle ages were executed due to royal food taster allergies 

[Agall]

11 minutes ago, leadeater said:

I wonder how many cooks of the middle ages were executed due to royal food taster allergies 

Especially how, uh, let's say "shallow" the gene pools were, probably a lot  

[Fasterthannothing]

On 12/6/2023 at 3:35 PM, Agall said:

Also, how many of us only did these DNA tests because we were compelled to by getting it as a gift from family, who are also terrible at using unique passwords.

People in my family did it I was practically begging them not to they all thought it would be great fun now look where we are! Its 100x worse than getting your personal identity stolen it's literally your DNA. It honestly makes me mad that companiesike this are legally allowed to even operate 

[Fasterthannothing]

4 hours ago, htimsenyawed said:

I'm glad I never sold my DNA and any information attached to anyone.

Better hope your family didn't sell you out 

[Donut417]

On 12/6/2023 at 3:42 PM, Skipple said:

they aren't regulated like any other medical industry. 

I mean I think they fall under the FDA. But regulation and the US government dont go hand and hand. How many companies break the law and just pay the fines? Its not like any thing else is going to happen. No one goes to jail, they just keep paying the fines.

[wanderingfool2]

Overall I think we really need to change the terms of "data breach" and other kind of things (Although then again it's the media sensationalizing the reality of the situation)...as all the articles that I've read seemingly acts as though this is something that 23AndMe should be blamed for.

 

Overall, it seems as this was nothing more than a basic level credential stuffing attack (i.e. 14,000 people reused their passwords on a website that was compromised or they were using a very easy to guess password).  While it might be good to have monitoring to try detecting someone is attempting password stuffing it can be generally very difficult to catch if the attackers are lets say using a botnet to route the requests through different IP's.

 

Even in a company that had 140 employees, if I looked at bad login attempt logs there would be at least 10 - 20 bad logins per day (so if done at a correct rate they might not realize a credential stuffing is occurring).

 

Like for myself, yes it technically is a data breach, but for the 14,000 people it's on them for reusing their password.  The remainder 5.5 million, it's not like it's actually a lot of sensitive information...after all, it's a service they literally signed up for where it matches relatives...there isn't a thing 23AndMe could do to really prevent that kind of thing as connecting like that is a big part of what people do to sign up (i.e. finding relatives or family trees).

 

It's akin to saying private facebook accounts were part of a facebook databreach because a friend's account got compromised...while technically true I think most articles and the common folk assume that it's the fault of Facebook.  This I think really needs to change in main media, as this 23AndMe "data breach" really is just a reminder to use unique passwords

[Kisai]

36 minutes ago, wanderingfool2 said:

 

 

Like for myself, yes it technically is a data breach, but for the 14,000 people it's on them for reusing their password.  The remainder 5.5 million, it's not like it's actually a lot of sensitive information...after all, it's a service they literally signed up for where it matches relatives...there isn't a thing 23AndMe could do to really prevent that kind of thing as connecting like that is a big part of what people do to sign up (i.e. finding relatives or family trees).

 

I think this is just one of those services where 'The law of unintended consequences" applies.

 

This service can only operate if people give their real names, genders, and birthdates. It serves to connect people with similar genetic markers who have indicated where they were born, their parents were born, grandparents, etc.

 

The outcome being that there is enough connecting data to form a connection between Person A, who was orphaned at birth and Person B, who has family history going back 400 years.

 

I didn't really learn all that much from 23andMe I didn't already know. But my sister's spouse IS "Person A", and does not know his birth parents. Likewise I've had people reach out to me on one of these sites I put the 23andMe data on, who were also orphaned at birth, 60+ years ago. 

 

But I paid for all these testing kits. Two of them aren't even among the living anymore. So it's not like I can ask permission of them, and simply sharing any one of their data with a site, will connect all of them, because they will connect back to me.

 

Unintended Consequences. A data breech was inevitable, but the service doesn't work without everyone opt'ing to have their information on it. That's simply how it has to work. If someone had a credential stuffing attack work against them, and they were someone who had their entire family tree going back 10 generations connected on there... well that's on them. But I think the issue is both under and over stated.

 

If you have nothing to hide, and your family generally isn't part of some criminal enterprise, then at worst some data broker probably will connect the dots between your name and this genetic information and try to sell whatever 23andMe had in the medical diagnostics back to you in marketing, if you somehow have that connecting data in the real world.  Worst case.

 

Best case, is that data is basically useless. I did this 23andMe stuff long enough ago I don't even live at that address or city. 

 

If you do happen to be a politician, or someone known to law enforcement, then this can quite literately be career-ending or freedom-ending if your DNA ever shows up at a crime scene, or it's found you are connected to a cold case.

 

[wanderingfool2]

34 minutes ago, Kisai said:

Unintended Consequences. A data breech was inevitable, but the service doesn't work without everyone opt'ing to have their information on it. That's simply how it has to work. If someone had a credential stuffing attack work against them, and they were someone who had their entire family tree going back 10 generations connected on there... well that's on them. But I think the issue is both under and over stated.

Well my general issue is that it's the 6 degrees of Kevin Bacon; by opting for it, which is what gives it it's purpose, you effectively are opening yourself up publicly.  I think there is the general issue that the articles come off as though 23 And Me was somehow responsible or that they were the ones who lost the information...when really it's akin to having a facebook friend's account hacked and the news say that Facebook is giving your information to the hackers.

 

36 minutes ago, Kisai said:

If you have nothing to hide, and your family generally isn't part of some criminal enterprise, then at worst some data broker probably will connect the dots between your name and this genetic information and try to sell whatever 23andMe had in the medical diagnostics back to you in marketing, if you somehow have that connecting data in the real world.  Worst case.

It's not like they got your specific DNA sequences though, and it's not like they can track down people based on the DNA from what was taken (from my understanding).  They can essentially see someone's family tree, which if someone really wanted to could probably do anyways as most of that kind of stuff is a matter of public records.  The people who had their account credential stuff, yea they would be more vulnerable in the sense it does have more medical stuff...but for the other family members you would have to then take a guess at which side of the family came from and then target them (but for marketing I doubt it would be a thing, as anyone who is found to be using that data would be blacklisted which effectively means only the scam ones will be possible).

 

39 minutes ago, Kisai said:

If you do happen to be a politician, or someone known to law enforcement, then this can quite literately be career-ending or freedom-ending if your DNA ever shows up at a crime scene, or it's found you are connected to a cold case.

From what I could tell, 23AndMe really doesn't give you specific DNA details when you log in (I don't have an account, so I could be wrong).  So a "breach" like this doesn't really matter, since if lets say the police got their hands on it they can't really use it to crack a case.

 

Although with that said, I would really like companies like this to add a simple to do checkmark where it's "Help catch criminals related to me" (and have it so that under a warrant they will allow the police to use DNA evidence to help identify a suspect in the event of a felony crime being committed).  That's similar to how the Golden State killer got caught; a public DNA database...but they effectively shut that down...but there are so many unsolved heinous crimes that have DNA but they don't know who it is (and likely millions to billions spent each year in trying to solve those cases)

[RejZoR]

On 12/6/2023 at 9:35 PM, Agall said:

Also, how many of us only did these DNA tests because we were compelled to by getting it as a gift from family, who are also terrible at using unique passwords.

So... more like 123andMe hehe

[mr moose]

On 12/7/2023 at 7:09 PM, Kisai said:

When you do these these tests you basically say "I'm giving permission for 23andme to do anything they damn well please"

 

 

Fortunately not in Australia, just like consumer law, there are obligations and legal requirements they cannot have you sign away no matter how legal their documents are.  Private information is well protected under law,  how well that law can be applied is another question.

[GeekPower0]

UPDATE: 23andMe confirmed that health reports and raw genotype data were stolen

 

Quote

Genetic testing provider 23andMe confirmed that hackers stole health reports and raw genotype data of customers affected by a credential stuffing attack that went unnoticed for five months, from April 29 to September 27.

The credentials used by the attackers to breach the customers' accounts were stolen in other data breaches or used on previously compromised online platforms.

Via BleepingComputer.com

 

In addition to the health and genotype data, if users used the DNA Relatives feature then attackers may have scraped ancestry reports and profile data of other 23andMe users that matched.

 

My thoughts:

No matter how you feel about platforms like 23andMe, I think all platforms that handle health data need to require users to use secure MFA.

[Si3Rra_7]

Nuke that company. Everyone involved either never works in genetics ever again or gets prison. 

 

What a time to have your data about your ancestry leaked, especially if you're jewish. 

[wanderingfool2]

18 hours ago, Si3Rra_7 said:

Nuke that company. Everyone involved either never works in genetics ever again or gets prison. 

 

What a time to have your data about your ancestry leaked, especially if you're jewish. 

So you feel that credential stuffing somehow should have all the blame put on the company?

 

I'm curious, what measures would be an acceptable level of care?  Should 23AndMe be actively checking to see if your password is part of a leak...but then again if they salted and hashed their passwords like responsible companies they wouldn't be able to look up to see if your hashes matched.

 

At that point it's about mitigating the login attempts, but if the credential stuffers are systematic enough; switching IP's not doing massive amounts of wrong guesses at any given time it could be hard to detect...especially with how many people used 23AndMe.

 

The tl;dr, if you have sensitive information then DON'T reuse your password and this wouldn't have happened.

[Si3Rra_7]

On 1/27/2024 at 1:02 PM, wanderingfool2 said:

So you feel that credential stuffing somehow should have all the blame put on the company?

 

I'm curious, what measures would be an acceptable level of care?  Should 23AndMe be actively checking to see if your password is part of a leak...but then again if they salted and hashed their passwords like responsible companies they wouldn't be able to look up to see if your hashes matched.

 

At that point it's about mitigating the login attempts, but if the credential stuffers are systematic enough; switching IP's not doing massive amounts of wrong guesses at any given time it could be hard to detect...especially with how many people used 23AndMe.

 

The tl;dr, if you have sensitive information then DON'T reuse your password and this wouldn't have happened.

 

funny how it's becoming more and more common for these companies to blame users for their own security failings.

 

funny how immediately after they were aware of the breach they suddenly had the bright idea to make 2FA mandatory

 

funny how they probably knew it was a vulnerability and didn't do it sooner because MUH LOGIN METRICS

[Vode]

On 12/7/2023 at 11:44 PM, leadeater said:

I wonder how many cooks of the middle ages were executed due to royal food taster allergies 

Probably less than you think since food supply was largely from local sources.
 

If the reaction came from more exotic foods fair to assume they made the connection.

 

Also many individuals with more serious reactions to common foods possibly falling ill and dying at very young age.

[wanderingfool2]

On 2/3/2024 at 1:57 AM, Si3Rra_7 said:

 

funny how it's becoming more and more common for these companies to blame users for their own security failings.

 

funny how immediately after they were aware of the breach they suddenly had the bright idea to make 2FA mandatory

 

funny how they probably knew it was a vulnerability and didn't do it sooner because MUH LOGIN METRICS

Your response is exactly what's wrong with users these days.  An user reusing their password IS to blame.

 

Companies shouldn't have to be responsible and baby every single user.

 

Mandatory 2FA many users will find it invasive and choose not to use services because of it.  Look at Twitter, I was required to put in my phone number for "security" and it turned out that they also used that data for sales as well (in violation mind you).  Or another case, 2FA at work where we had lost access to the phone number in question (because we hadn't used the account for a few years), but then when we needed it not only did we not know whose number it was because it was in some old documentation; we didn't have the number anymore and Google wouldn't let use gain back access to it. (Despite having the password, and the name of the email included the companies name and was linked to our website).

 

The simple fact is, it was credential stuffing, and if you seriously think the company is more responsible for the breach than the users who reused their passwords then I can't help you.  You can go about your life blaming everyone but yourself, and while we are at it blaming the companies instead of the users why not make it so cars have speed limiters on it...after all users are too stupid to go the proper and safe speed limit [so the vehicle manufacturers are to blame for all the street races and accidents involving high speed]