23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users
I’m honestly asking what the impact to the users is from this breach. Wasn’t 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?
I would guess (hope?) that the data sets they sell are somewhat anonymized, like listing people by an i.d. number instead of the person's name, and not including contact information like home address and telephone number. If so then the datasets sold to companies don't contain the personal information that hackers got in this security breach.
That’s not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.
I would assume they had some deals with law enforcement to transmit data one narrow circumstances.
I’m honestly asking what the impact to the users is from this breach.
Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.
This is different. This is a breach and if you have a company taking care of such sensitive data, it’s your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they’ve established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.
A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.
Which, honestly?
Completely valid. The only way to stop this would be for 23andme to monitor these “hack lists” and notify any email that also has an account on their website.
Side note:
Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.
The only way to stop this would be for 23andme to monitor these “hack lists”
Unfortunately, from the information that I’ve seen, the hack lists didn’t have these credentials. HIBP is the most popular one and it’s claimed that the database used for these wasn’t posted publicly but was instead sold on the dark web. I’m sure there’s some overlap with previous lists if people used the same passwords but the specific dataset in this case wasn’t made public like others.
All i would say is they should have provided 2fa if they didn’t.
At this point, every company not using 2FA is at fault for data hacks. Most people using the internet have logins to 100's of sites. Knowing where to do to change all your passwords is nearly impossible for a seasoned internet user.
The sad thing is you have to balance the costs of requiring your customer to use 2FA with the risk of losing business because of it and the risk of losing reputation because your customers got hacked and suffered loss.
The sad thing is some (actuall most) people are brain dead, you will lose business if you make them use a complicated password or MFA and it puts them in the position to make a hard call.
They took the easy route and gave the customer the option to use MfA if they wished and unfortunately a lot of people declined. Those people should not have the ability to claim damages (or vote, for that matter)
I feel like that argument could be made for some things, but inherently cannot apply to companies involved in personal, genetic, or financial information.
I’m honestly asking what the impact to the users is from this breach.
The stolen info was used to databases of people with jewish ancestry that were sold on the dark web. I think there was a list of similar DB of people with chinese ancestry. 23andme's poor security practices have directly helped violent white supremecists find targets.
If you're so incompetent that you can't stop white supremecists from getting identifiable information about people from minorities, there is a compelling public interest for your company to be shut down.
Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn’t exactly how genetics work is done.
Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn’t sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.
Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.
I never met a Geneticist who couldn’t immediately recognize this company as a scam. The product wasn’t the papers they send you after doing random marker tests once (so, false positives exist, and they never cared). The product is the DNA they collected by convincing people that their test was even remotely useful or insightful.
Its entirely based on correlation; and correlation to what? Geographic area? That makes no sense if you know one of any number of fields and many don’t even have to be scientific in nature, or genetics.
I have always hated them, always told people to never use them and get themselves a proper 50x full genome sequencing since it costed the same; and actually provides real, resolute and reliable data. Not just like borderline pseudoscience. Might as well sent in the shape of your skull.
I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.
Maybe there should be some type of regulation that prevents that from happening considering the average person doesn’t think of shit like that because they don’t expect to be fucked over in every conceivable way
If you are dumb enough to send your DNA to a company that keeps it in a database forever, and often shares it with governments to make relationship maps and population control, you deserve everything.
I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.
In a way, it kind of is their fault for trusting companies like this in the first place. I’d never consider using companies like this and both think and hope none of my family members would either.
Obviously, the breach is the company being incompetent like many companies are when it comes to security.
Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don’t reuse passwords.
Just to clarify; It doesn’t necessarily mean that your Google account password is compromised. It lists data breaches of services where you used the provided email to register. The password you chose for that service at the time of the breach has been compromised. If you don’t use the same password everywhere, or changed your password after the breach, your other accounts are not compromised.
Also, as OP said, use two-factor authentication. And please also use a password manager.
It’s saying I’ve been hacked on websites I’ve legitimately never even heard of, websites I have 100% never interacted with. Is this just a normal consequence of companies sharing all my data with other companies?
I can’t speak to how you ended up on the list. The way haveibeenpwned works is that they crawl publicly available credential dumps and grab the associated usernames/emails for each cred pair. However it got there, your email ended up in one of those dumps. Recommend you change your passwords, make sure you don’t repeat the same password across multiple sites and use a password manager so you don’t have to remember dozens of passwords yourself.
The biggest worry is that the data might be right and might be used by an insurance provider to deny a person’s coverage
Ok, but if that’s something insurance companies want to do, they’re not going to be stopped because you didn’t send a DNA sample to 23andMe, nor are they going to have to go scrape up questionable data off the black market. They’ll simply offer people some discount for sending in a DNA sample or even make it a requirement for coverage.
Sell to insurance companies. Genetic predisposition towards certain illnesses? That’s a premium.
If that’s something that those companies were interested in doing, why wouldn’t they just require people applying for coverage to submit a DNA sample? That would be way easier, more reliable, and less shady compared to trying to piece together profiles based on data being sold on the black market.
Explain what someone’s realistically going to do with your DNA data.
You are obviously oblivious to how mass-surveillance works, and how much it can destroy our freedoms. Services like 23AndMe keep a database over all the DNA they have received. This database is often shared with governments, and can be used to create relationship maps - who is what to whom. This information can be and is being weaponized against us on a daily basis.
You are obviously oblivious to how mass-surveillance works, and how much it can destroy our freedoms.
I’m pretty sure they’re currently doing the mass surveillance thing just fine without DNA data. I’m not sure how DNA would even factor into mass surveillance. I’m open to considering realistic scenarios.
Services like 23AndMe keep a database over all the DNA they have received.
Yes, it’s how they provide the service.
This database is often shared with governments, and can be used to create relationship maps - who is what to whom.
What’s your evidence for this claim?
This information can be and is being weaponized against us on a daily basis.
How? By who? What’s your evidence?
I’m betting you have no evidence and will simply appeal to some instance where some company sold some data to the government in a situation that isn’t at all analogous.
The evidence is literally publicly available. It takes mere seconds to find court records and articles online. But it is just easier for you to sit there and scream “what is your evidence?” as some headless chicken, right?
I’m not going to try and guess what you think the evidence is. If it’s as readily available as you claim, it should be trivial for you go find it and show me. The fact that you haven’t yet is telling about how honest you’re actually being.
If I am an insurance company, and I have data that says you are carrying a gene that is correlated with colon cancer, I can either raise the fuck out of your rates because youre a risky client who might cost me a lot of money in colon cancer treatments, or when you do get colon cancer I could refuse to cover it because I have a contract clause you didnt read that says if youre genetically correlated thats functionally a pre-existing condition and thus isnt a part of your coverage.
If I am a med company, and I know what your genes correlate with known treatable genetic diseases that become fatal or more serious to people like you with those genes, I can raise the price of your medication. You have to pay, because you will die if you dont, so I can ask for any price.
If I am a texas politician, who is already threatening hospitals across the nation illegally for your private medical data, I am salivating trying to get your dna. Correlate any gene, or suite of genes, with a population of people you do not like, and you can target them through this. “Prove” a genetic superiority to defend and promote eugenic ideals, while targeting your racial scapegoat at a genetic level. Look like one race? Well your blood says youre not pure, so youre next too.
If I am an insurance company, and I have data that says you are carrying a gene that is correlated with colon cancer…
You think an insurance company would leave money on the table if they thought your DNA could save them a few bucks? They’d either offer discounts to people for submitting DNA samples or require DNA samples as a condition of coverage.
If I am a med company, and I know what your genes correlate with known treatable genetic diseases …
Med companies don’t need your DNA to know that they can charge more life-saving medication. They just need you to know that you have a particular condition and then make sure you know about their medication. If the disease in question is fatal, like your example, it actually seems like a win for the person in question that there’s a cure for their condition.
If I am a texas politician, who is already threatening hospitals across the nation illegally for your private medical data, I am salivating trying to get your dna…
Ah yes, the Texas politician who is going to let the lack of DNA data stand in the way of his eugenic designs. Okay. Totally realistic.
The insurance company doesnt want or need to give you discounts. They are buying this data from companies like 23andme, after the professionals have indexed and prorated it. Telling the customer risks scandal, and buying from youmeans they need to process it in house. This back door pre analyzed data sharing keeps you in the dark, and your money in their pocket.
Med companies do not use this to develop the medication, they use it to change the price of existing meds based on your need. Diseases and disorders are not equally lethal. They are buying this data to get the information on how badly you need the drug, and alter the price accordingly.
They arent going to let anything stand in the way of their plans, they are already illegally collecting this information. More data makes this easier for them.
This is always the most short-sighted kind of comment on the internet, I don’t assume you’re ignorant, I assume you’re selfish - Do you not see a responsibility to future generations in any of your actions or are you just here to “get yours” and check out?
While there are real and immediate dangers today, our responsibility in this moment is to be a firm NO so that these things don’t find their extremes in our lifetime or beyond. You’re the frog in the pot of cold water, but the burner is turned on beneath you.
“What the fuck are you guys talking about man? being all hysterical and shit? The water is comfortable right now, even a bit cold”
Do you not see a responsibility to future generations in any of your actions or are you just here to “get yours” and check out?
Not on this matter. Simply asserting that danger exists is not the same as demonstrating it, and you’re doing a lot of asserting and zero demonstrating.
While there are real and immediate dangers today
Such as? You’re pretty light on details in a situation where it would really help your argument to provide examples. It makes me assume that you don’t actually know.
our responsibility in this moment is to be a firm NO so that these things don’t find their extremes in our lifetime or beyond
Why does that require a “firm NO”? Plenty of actually dangerous things have been handled via regulation rather than a “firm NO”.
You’re the frog in the pot of cold water, but the burner is turned on beneath you.
Bad news for your point: the frogs actually jump out in real life. You’ve also completely failed to demonstrate that we are frogs and there is a pot of water in this situation.
You’re very confidently ignorant. I’m glad this is only an internet conversation and it can just full stop here - I do feel bad for the people that have to suffer you daily in real life though.
Funny you calling me ignorant in response to a post where I asked you twice to explain more. That you resorted to insults instead of explaining your thinking says a lot more about you than it does me.
And there would likely be legal ramifications if they actually used that information in a way that harmed me. That’s not so clear when given up willingly.
And anyone can hate a group of people, the difference between that hate staying small, isolated and relatively contained is organization and systemization - so for example, IBM catalogues and analyzes data for the nazis and you then get an amplification of strength of that hatred that effectively results in the holocaust (instead of something that would have maybe been more like Putin’s limp, flailing invasion of Ukraine).
Yes I can pull a single hair from your head, but if I create a machine where you and 50 million of your friends send me that hair, pay me for the privilege and I then sell the data or it gets breached, that’s where we start to get into the danger zone.
Those of you here being contrarians for the sake of it are on the wrong side of history. Learn a book, shitheads.
I see this trend of websites requesting your identification and all i think is: i don’t even trust my own government with a copy why the hell should i trust a business?
“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”
This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account’s data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.
you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They’re so common that if you don’t design your system assuming the occasional user account will be compromised then you’re completely ignoring a threat vector, which is on you as a designer. 23andMe didn’t force 2 factor auth (techcrunch.com/…/23andme-ancestry-myheritage-two-…) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.
I don’t think so. Those users had opted in to share information within a certain group. They’ve already accepted the risk of sharing info with someone who might be untrustworthy.
Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn’t mean that this sharing of information is broken by design.
If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.
There may be other reasons to criticise 23andMe’s security, but this isn’t a broken design.
Add comment