I kept my DNA out of those services, because they felt like they were on the “socks-for-cats dot com” side of the internet hosting maturity scale…
I hate being right. Maybe I’m being unfair, but I’m glad I waited.
Edit: At least it’s not as stupid as someone emailed an excel sheet or left an admin password set to “princess”.
In my opinion, we need much higher security standards for companies that track ancestry or DNA data, because there are active fascists out there willing to pay a premium for that data. And we need to not let that happen again. en.m.wikipedia.org/wiki/IBM_and_the_Holocaust
“In early October, a hacker claimed to have stolen the DNA information of 23andMe users in a post on a well-known hacking forum. As proof of the breach, the hacker published the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users, asking would-be buyers for $1 to $10 for the data per individual account.”
So to be clear: the attackers logged into people’s accounts, using those people’s passwords that they stole from other sites, and then got access to those people’s data and the data shared with those people.
I don’t see how any of this is a hack. If you gave me your login and password, then I would be able to do the same thing. Is that hacking?
That is correct. But they didn’t get that from 23andMe. They got the username and password from other sites that were hacked, and the affected users were those that had the same password on 23andme. This is not a 23andMe security issue.
that’s kind of fair, but part of the point is that they didn’t even need to access the accounts of people that were compromised. they just needed to access someone who was related to them to access their genetic info.
access to a ton of information if you were “related” to one another
This is what I never understood: isn’t that the entire selling point of the service? To share a huge amount of what should be personal data, that you wouldn’t willingly share normally? How do they still exist?
If the attack was carried out over one IP address, they should have been able to detect it.
There is no real reason why 7 million different accounts access the site from one location.
I don’t know how sophisticated the attack was but the future threat is instead of DDOS attacks would be distributed ACCESS attacks where millions of controlled devices attack a site with known credentials to download small bits of information over time. Even better if you can work out ahead of time the account’s general location and then assign devices in the area to access that account.
Add comment