this post was submitted on 26 Jan 2024
320 points (98.5% liked)

Technology

59483 readers
5255 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months | Firm says it didn't realize customers were being hacked::Firm says it didn't realize customers were being hacked

all 40 comments
sorted by: hot top controversial new old
[–] skillissuer@discuss.tchncs.de 39 points 9 months ago (1 children)

Friendly reminder that there's no such thing as anonymized genetic data

[–] ChicoSuave@lemmy.world 35 points 9 months ago (3 children)

If this forces 23andMe to shutter, some other tech firm will gobble up that genetic data without the original users having any agency in the decision. Imagine having your genes create value for others and you only get the liability? Oof.

[–] spaduf 11 points 9 months ago

Don't they already package and sell your genetic data anyway?

[–] designatedhacker@lemm.ee 5 points 9 months ago (1 children)

Yeah download and delete your account + data if you still have one.

[–] aphlamingphoenix@lemm.ee 11 points 9 months ago (2 children)

Do we know they delete the data when you do that? A lot of software is designed to "soft delete" data, where you mark the record with a "deleted" flag that excludes it from future queries. This data still lingers in the database and would still be accessible by anyone who can bypass the application logic, such as someone with a direct DB connection and read privileges.

[–] sir_reginald@lemmy.world 5 points 9 months ago (1 children)

and let's not forget that it was stolen, so it's probably being sold right now anyway.

[–] designatedhacker@lemm.ee 1 points 9 months ago

They stole the DNA data of users with recycled passwords. Last I saw this was 14,000 users and I was notified that at least one was transitively related to me. So they didn't get my DNA, just one or more user's view of my profile. I got out before a real breach happens and they do privilege escalation or phish an admin or something. Or like OP said go into bankruptcy/acquisition and sell their most valuable asset.

[–] designatedhacker@lemm.ee 2 points 9 months ago

They say that they do, so I'll be getting a juicy $5 class action check if that was a lie. Most companies that implimented GDPR didn't do a lot of if eu actually delete type code. The cost of determining EU citizenship incorrectly is pretty high.

[–] pineapplelover@lemm.ee 30 points 9 months ago (1 children)

Holy fuck they're incompetent

[–] JDubbleu@programming.dev -3 points 9 months ago* (last edited 9 months ago) (1 children)

Look, I'm as ready as anyone to jump on companies for mishandling data. I work daily with extremely private medical information protected by an ungodly amount of laws, and it pisses me off how whimsical most companies are with customer data. This one wasn't exactly their fault though. If you use the SAME EMAIL AND PASSWORD across multiple different sites it's not site B's fault when site A gets hacked and your login information is attempted on site B. It's also not even that surprising given people willingly giving up information this private aren't exactly the most privacy literate.

Could they have enforced multi-factor 2FA? Sure, and it would've mitigated some of the damage. However, I think we can all reason that they probably had the same password for their email and phone provider. Hardware keys aren't cheap, and most people just don't have them. It's also pretty reasonable that it would take a super long time to figure out someone logging in with a username and password was "hacked".

[–] pineapplelover@lemm.ee 7 points 9 months ago (2 children)

You have a point. However, I think they should've forced 2fa from the start.

[–] Kushia@lemmy.ml 6 points 9 months ago (1 children)

Everyone already has the hardware for 2fa in their pockets too. This was simply a decision this company made to minimise barriers to their customers wallets.

[–] pineapplelover@lemm.ee 2 points 9 months ago

Maybe a lot of us do but the general population might not even know what hardware tokens are and if they exist.

[–] sir_reginald@lemmy.world -4 points 9 months ago (1 children)

I'm all for security, but god I hate forced 2fa. I'm a power user with a password manager that generates 64 characters long random passwords, different for each site. I don't want to be bothered to take my phone every time I want to login.

[–] Saik0Shinigami@lemmy.saik0.com 2 points 9 months ago (1 children)

Use a password manager that also does totp.

[–] pineapplelover@lemm.ee 2 points 9 months ago (1 children)

If this guy is this lazy then this might be a good option? Bitwarden comes with one included but I still use a separate app (Aegis) and my yubikey.

[–] sir_reginald@lemmy.world 1 points 9 months ago* (last edited 9 months ago) (1 children)

If this guy is this lazy

I try to keep my fingers in my keyboard as much as possible and having to take out my phone is just a waste of time. I do not need 2fa. Let me do my own security.

Maybe requiring 2fa for passwords shorter than 60 characters would be a good solution. Most people would use 2fa but people with strong passwords can live without it.

[–] pineapplelover@lemm.ee 1 points 9 months ago

I highly disagree with not having 2fa. Even having one in your password manager, allowing you to not take fingers off of keyboard is better than nothing.

[–] azl@lemmy.sdf.org 29 points 9 months ago (1 children)

Well, this explains why my DNA was found on that murder weapon. Clearly the 23andMe hackers have framed me. Evidence now inadmissible in court.

[–] werefreeatlast@lemmy.world 8 points 9 months ago

I see where this is going.

[–] TheDarkKnight@lemmy.world 14 points 9 months ago

Data Protection and Privacy laws need an absolute complete overhaul.

[–] werefreeatlast@lemmy.world 11 points 9 months ago

They fucked 23 and me all at the same time.

[–] Xepher@lemm.ee 9 points 9 months ago (1 children)

Ancestry better be making sure they have all their shit patched now.

[–] avidamoeba@lemmy.ca 19 points 9 months ago (1 children)

Why? Are they gonna suffer a noticeable financial penalty?

[–] Xepher@lemm.ee 1 points 9 months ago
[–] Nighed@sffa.community 7 points 9 months ago (1 children)

This is the one that was from previously breached credentials right?

So their only fault was not forcing (did they support?) 2FA. + Potentially not having brute force monitoring?

[–] macrocephalic@lemmy.world 6 points 9 months ago (1 children)

Not having brute force mitigation is a pretty big miss.

[–] Nighed@sffa.community 2 points 9 months ago

Yeh, probably. But in this case they probably had only a few passwords per email, but lots of usernames to try. So per account blocks may not have worked as they had the correct passwords?

Oh well that’s horrifying.

[–] huginn@feddit.it 4 points 9 months ago (1 children)

Our investigation determined the threat actor downloaded or accessed your uninterrupted raw genotype data, and may have accessed other sensitive information in your account,

Fascinating. I was under the impression that you couldn't get that without having it sent to your email address. I certainly haven't seen any other ways of getting raw genomics out.

Is this that the threat actor sent it to an email that was potentially compromised or do they have download logs of some form of hidden direct download feature?

[–] jonne@infosec.pub 2 points 9 months ago (1 children)

If they had access to their internal network, they could've exfiltrated it by a ton of different ways.

[–] Morphit@feddit.uk 4 points 9 months ago (1 children)

They wouldn't need to access 14,000 separate accounts if they had internal access to the database.

The article states they got access to "private data" from 6.9 million other users via a 'DNA relatives' feature but doesn't explain what kind of information that is. For those accounts that got directly accessed, it seems unlikely the hackers requested and intercepted an email for every one without being noticed sooner. Sounds like they only scraped what's available on the site itself but it'd be nice if the article actually detailed that.

[–] jonne@infosec.pub 0 points 9 months ago (1 children)

Ah ok, didn't know we knew those details. I guess they found an API endpoint that allowed them to do this that isn't exposed through the website.

[–] huginn@feddit.it 3 points 9 months ago* (last edited 9 months ago)

The official RCA is credential stuffing.

Reused passwords are a bitch.

The main surprise is that you were able to get to genomic data with just a password. I thought it was only ever sent over email to the account email.

Maybe the attack involved changing email as well?

[–] Gutek8134@lemmy.world 2 points 9 months ago (2 children)

...Why does anybody need raw genotypes so much that this happened?

[–] Promethiel@lemmy.world 14 points 9 months ago

It's data, that's all that's needed. That you or I can't think of a reason or use case (well, outside of authoritarian nation state business that is) that makes it valuable just means we aren't likely ghoulish enough.

But you can't change your genetic data, so it's a bundle of "anonymous" data that will forever remain just waiting for the right link to irreparably link it to someone.

Cheap data point now, but who knows how useful or valuable it could be if the cyberpunk Dystopia of Tech Bro Billionaire's wet dreams come to pass?

[–] CyberDine@lemmy.world 4 points 9 months ago

China... because China is a black hole of information and will steal anything and everything for hegemonic advantage. If that DNA belongs to family or friends of powerful people, that could lead to a future blackmail advantage

Russia, because fuck the West.