I do not reuse passwords, and from what I understand, my account was not accessed directly. The message they sent me was:
"After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor."
So there's nothing I could have done with password security that would have prevented this; my only mistake was using a feature of their site.
I understand you couldn't have done anything, but on the other hand, could they have?
My understanding is that the people that were breached were breached outside 23andMe, and their credentials were simply used to log into 23andMe. Not attachking you or anything but haven't you opted in to sharing potentially sensitive information to people you don't know, basically making this information as secure as these people's accounts are? Or, for that matter, as secure as these people are?
Perhaps they could highlight that a bit more (I wouldn't think of that probably if I used this feature). But that's just as much "just" a mistake as "just using a feature".
What exactly does the feature do? Share (some of?) your data with people you seem to be related to? If that data is sensitive, it seems a pretty risky thing to share even with relatives who you know quite well.
I had a similar situation back when Adobe lost their database.
I have a personal domain with a catch all configured. So back then I would just give a name like adobe.com@<personal-domain>.
When they leaked my password I contacted their support and they flatly told me that's not them who lost the password, even though evidently the mail itself was tailored specifically for Adobe.
It is likely the support was told to follow a script when a concerned client contacts them and there is no way they are going to tell you anything else regardless of the specifics of your case or how absurd their arguments are.
Turns out that people who were saying that these kinds of services are going to give access to Government actors, sell their databases or just have them hacked/stolen by malicious actors because of garbage security were, in fact, correct. Color me not surprised.
If somebody accesses a Facebook account; and uses it to view intentionally-shared information on 500 people connected to that person; is that Facebook's fault for having that feature?
It appears Hacker News consensus is "Yes", but... that feature IS Facebook; and to many many people, that feature IS "23andme".
Don't get me wrong - I don't have 23andme account; we are at an early age of DNA analysis and I'm supremely uncomfortable randomly giving my DNA and wide permissions to strangers for perpetuity. I've tried to give same perspective to friends and family, with limited success.
I also don't particularly care about geneaology either, yet goodness gracious a lot of people really really do and they get giddy and excited when they find some 'match' on DNA sites :).
But it does rather seem that external actors used credentials obtained elsewhere, to access a core "social-network-like" feature of 23andme, that users eagerly opted in (again, I wouldn't have, but I'm a weirdo:).
I don't understand what 23andme's real fault is, other than existing, and allowing users to willingly, consensually, in an informed manner do what they specifically chose to do. We all told our friends & family "hey don't share your DNA results and intimate details of your life with strangers and random new startups", but they repeatedly choose to do so anyway :(.
My reading suggests that this is the correct interpretation. And I think it actually crystallizes in the question of whether such services should be allowed to exist. To me it’s hard to argue that we should prevent people from creating and consensually engaging in these large-scale social platforms from an individual liberty perspective. However in aggregate they have so much power to disrupt people’s lives. How do you balance these issues?
If 23andMe is in the wrong here it seems to be because this entire approach of large scale social networks is wrong, and we must solve it at a regulatory level.
> If somebody accesses a Facebook account; and uses it to view intentionally-shared information on 500 people connected to that person; is that Facebook's fault for having that feature?
I am amazed at the depth of confusion data causes. And the amount of blame deflection that goes on.
Here is a medicine for clarity - imagine data is money, because it is. It’s your money, and someone is holding it for you, someone like a bank.
So the scenario is - a hacker fakes identity of 14,000 people and empties out the bank accounts. Bank does nothing to stop suspicious activity of a single customer pretending to be 14,000 and has poor authentication. whose fault is that?
You are correct. Human nature seems to be to find a scapegoat. Holding 14,000 anonymous people culpable history doesn't feel as good as complaining about a single, visible entity - even an innocent one.
I finally got through to the women in my family by bringing up what the consequences of their choices to use this service could mean for their children (either currently existing or in the future). Maybe could try that route, seems to trigger concern more than when you're talking about themselves for some reason
"The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts, the company previously told Business Insider."
Okay, so first off no software team would be surprised to know that you have millions or tens of millions of customers and as many as 14k reused logins from elsewhere. Second, if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base you've made a terrible, terrible decision when adding features that allowed that.
Reused username/password pairs is a known challenge, and we should all be aware that our software will be used with compromised logins. Plan for that and don't assume that anyone with a login is both allowed in the door and not there for malicious reasons.
> if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base
The article implies that (probably for sensation), but I don't think this is what it means. I assume they got enough matches between these 14k customers to view some level of information on their relatives such as their name. Genetics being what they are (pretty stable between generations), that resulted in a ton of data being shown cumulatively
But that's just my reading, per my understanding of 23&M's business model. Maybe they did find a vulnerability that allowed actual account access, but that would be bigger news by itself and the article would be exceedingly likely to mention that explicitly
> if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base
If someone gets access to my facebook account they can read anything my "friends" have marked as "friends-only". Lots of users want that kind of restricted sharing (both with Facebook and with 23andMe).
Two factor authentication should be mandatory for services like 23andMe that hold such sensitive information (i.e. DNA tests). It would at least have reduced the wideness of the attack by protecting most of those 14k initial accounts that were used to leverage the 'relatives feature' vulnerability.
I was thinking this as well, but I'm still not sure 23andMe is to blame. Everyone who signed up to the site knowingly shared their information with accounts that were not 2FA protected. The service was unsafe but the question is weather or not the users should have known that. You can't sue the knife company if you cut yourself, after all.
The article is terrible. What are commenters even discussing without having additional context?
The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts, the company previously told Business Insider.
This is the only actual 'information' in the article. The rest is just finger pointing. But what does this mean?
What feature? Does 'gain access' here mean all the data you would have as if you logged in as that user? How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M/14K)
If you opt in to finding DNA relatives then you essentially get a list of all your DNA relatives on 23andMe that have also opted in. DNA relative seems to be people who are 4th cousins or closer to you. For each you get a name and an approximate location.
> Does 'gain access' here mean all the data you would have as if you logged in as that user?
Yes.
> How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M/14K)
Data point: I have opted in. My DNA relatives list has just over 1500 other people on it.
Sounds like the hackers used recycled logins to gain access to 14000 accounts and then for each account gained info about other related accounts.
I can see how you can get 14000 compromised accounts even though it sounds too much to me. Cant see how you can get info to so many related accounts. a 1 to 500 ratio.
But if it is true then there is a little blame for the costumers too.
Business insider is a trash publication. I wouldn’t waste my time reading it. Their content is always some combination of over stated, inaccurate or flat out made up.
In the US, a blood sample is taken from all newborns to test for a panel of diseases that are treatable and cause serious problems if not treated within a few days after birth.
The sample is not taken by federal authorities, but by medical staff, usually before the infant goes home from the hospital. The individual states, rather than the Federal government, mandate the testing. The sample consists of a piece of paper with a few or several spots saturated with drops of blood. After testing, the samples are stored for a period of time determined by each individual state. In states where the samples are kept on file for an extended period, those blood spots could be considered a DNA sample.
You could kind of argue that users that reuse passwords are responsible for leaking their own information. But how do they explain the remaining 7 million? Also they are suddenly able to enforce changing passwords and 2FA, so how do they want to claim they reasonably protected sensitive data before? If the 7 million users made their data public to other users that may explain a little bit, but I would assume the company would say so.
The 7 million made their data available to DNA relatives and were DNA relatives of the accounts with compromised passwords.
This is similar to saying your Facebook account was hacked when one of your friends had their account compromised and the hacker had access to the information you share with friends.
Basically the find relatives "feature" let them expand the information base from 14k actually-compromised accounts to viewing some level of data on all their distant relatives
From what I read, people got their credentials breached on some other websites. Hackers then somehow used those same credentials to log in to 23andMe.
I see that 23andMe could’ve forced MFA, or have a better brute force protection for sure but seems like 23andMe themselves didn’t breach any passwords at least.
This doesn't just affect 23andMe's customers. It affects every person who shares DNA with their customers.
For instance, police have been able to match DNA samples of an unknown perpetrator against these DNA services. Matches against their extended family (who have used the service) is enough to identify them, even though they've never been a customer. And while that's a good thing, the more general case is true for every one of us all. We're all represented in this DNA data to one degree or another, even if we've never used the service.
It sounds like you're under the impression that the data that was leaked for half the customer base was people's full genotype? Because the kind of matching that you're talking about here isn't possible on the coarse data that the attackers were able to leverage compromised accounts to access.
> The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts
I mean for the 14,000 accounts accessed with compromised login credentials, yes that's logical that it's their fault.
But what kind of feature would allow attackers to then get access to 7 million accounts from 14,000 compromised accounts? The article doesn't say and I can't imagine any feature that would allow that without being an egregious breach of security.
When you are able to log in, you then see who are related to you as well. I believe the news sites use those inflated numbers to make it more dramatic.
> But what kind of feature would allow attackers to then get access to 7 million accounts from 14,000 compromised accounts?
I've never used 23andme myself, but as I understand it they have a 'relative finder' which finds people with similar DNA https://customercare.23andme.com/hc/en-us/articles/221689668... - it even offers some features that purport to show which segments of your genes overlap.
At one point, I believe users were opted into this by default (a review from 2008 says this was the case) although at present I believe they require an explicit opt-in. But of course you can't find your relatives without opting in.
And users might well have thought they were sharing their data only with a handful of relatives, whose identities had been confirmed by DNA testing.
>I mean for the 14,000 accounts accessed with compromised login credentials, yes that's logical that it's their fault.
The provider has a responsibility here as well - after all, a breach like this followed by the negative public fallout (and potential lawsuits) represents a risk to the business itself. There are things they could have done to mitigate this risk ... Like enforcing 2FA.
And they did mess up, and they know they messed up. Do you know how I know? Because they just started enforcing 2FA (and not in 2019) [1]
That is a huge amount of data you can get at. You do not even have to be a 'nefarious hacker'. Just open a legit account sub your DNA and you have access to a lot of data. The way this company has framed the narrative around this interesting as 'those terrible hackers did this to you users'. Isnt the math something like go back 7 generations and everyone is related to everyone.
TLDR there is a LOT 23andme could’ve done to prevent this. Around the same time BrickLink had a similar incident, but handled it perfectly.
There is a lot that these vendors can do to protect people, even if their password and username are exposed. Things like requiring email confirmation if you’re logging in from a new IP address. Things like using the haveibeenpwned database to ensure people use good passwords. When I reset my password at 23 and it allowed me to use passwords like Password1234567.
> One 23andMe customer impacted by the breach told TechCrunch that it's "appalling that 23andMe is attempting to hide from consequences instead of helping its customers."
I mean... Of course they ate trying to dodge extra punishment from California while trying to help customers. They can be doing both at the same time.
And as a legal argument, they may have a point. How precisely are they supposed to secure their architecture against recycled login credentials? Does California's law imply that you have to implement two-factor authentication? Seems like it would be a novel application of the law if that's the case.
This “it’s their fault for sharing information” is a terrible externality/unaccountability argument. As a company, you are responsible for the safety and privacy of all your direct and indirect users. I don’t have a facebook, but I’m in there for sure, and it’s the company’s responsibility to protect my privacy.
I know this is not 23&me’s case, and sure, the front door keys weren’t stolen from them, but they allowed the whole museum to be robbed without triggering one alarm. If a bad actor gained access to my account, he/she would still need my device to deobfuscate card info or make transactions.
[+] [-] merricksb|2 years ago|reply
https://news.ycombinator.com/item?id=38856412
(261 points/20 days ago/371 comments)
[+] [-] masto|2 years ago|reply
"After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor."
So there's nothing I could have done with password security that would have prevented this; my only mistake was using a feature of their site.
[+] [-] posix86|2 years ago|reply
My understanding is that the people that were breached were breached outside 23andMe, and their credentials were simply used to log into 23andMe. Not attachking you or anything but haven't you opted in to sharing potentially sensitive information to people you don't know, basically making this information as secure as these people's accounts are? Or, for that matter, as secure as these people are?
Perhaps they could highlight that a bit more (I wouldn't think of that probably if I used this feature). But that's just as much "just" a mistake as "just using a feature".
[+] [-] rjmunro|2 years ago|reply
[+] [-] onetimeuse92304|2 years ago|reply
I have a personal domain with a catch all configured. So back then I would just give a name like adobe.com@<personal-domain>.
When they leaked my password I contacted their support and they flatly told me that's not them who lost the password, even though evidently the mail itself was tailored specifically for Adobe.
It is likely the support was told to follow a script when a concerned client contacts them and there is no way they are going to tell you anything else regardless of the specifics of your case or how absurd their arguments are.
[+] [-] Culonavirus|2 years ago|reply
[+] [-] MailleQuiMaille|2 years ago|reply
[+] [-] NikolaNovak|2 years ago|reply
If somebody accesses a Facebook account; and uses it to view intentionally-shared information on 500 people connected to that person; is that Facebook's fault for having that feature?
It appears Hacker News consensus is "Yes", but... that feature IS Facebook; and to many many people, that feature IS "23andme".
Don't get me wrong - I don't have 23andme account; we are at an early age of DNA analysis and I'm supremely uncomfortable randomly giving my DNA and wide permissions to strangers for perpetuity. I've tried to give same perspective to friends and family, with limited success.
I also don't particularly care about geneaology either, yet goodness gracious a lot of people really really do and they get giddy and excited when they find some 'match' on DNA sites :).
But it does rather seem that external actors used credentials obtained elsewhere, to access a core "social-network-like" feature of 23andme, that users eagerly opted in (again, I wouldn't have, but I'm a weirdo:).
I don't understand what 23andme's real fault is, other than existing, and allowing users to willingly, consensually, in an informed manner do what they specifically chose to do. We all told our friends & family "hey don't share your DNA results and intimate details of your life with strangers and random new startups", but they repeatedly choose to do so anyway :(.
[+] [-] itsnotafight|2 years ago|reply
If 23andMe is in the wrong here it seems to be because this entire approach of large scale social networks is wrong, and we must solve it at a regulatory level.
[+] [-] dzolob|2 years ago|reply
[+] [-] ClumsyPilot|2 years ago|reply
I am amazed at the depth of confusion data causes. And the amount of blame deflection that goes on.
Here is a medicine for clarity - imagine data is money, because it is. It’s your money, and someone is holding it for you, someone like a bank.
So the scenario is - a hacker fakes identity of 14,000 people and empties out the bank accounts. Bank does nothing to stop suspicious activity of a single customer pretending to be 14,000 and has poor authentication. whose fault is that?
[+] [-] arcbyte|2 years ago|reply
[+] [-] snapcaster|2 years ago|reply
[+] [-] _heimdall|2 years ago|reply
Okay, so first off no software team would be surprised to know that you have millions or tens of millions of customers and as many as 14k reused logins from elsewhere. Second, if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base you've made a terrible, terrible decision when adding features that allowed that.
Reused username/password pairs is a known challenge, and we should all be aware that our software will be used with compromised logins. Plan for that and don't assume that anyone with a login is both allowed in the door and not there for malicious reasons.
[+] [-] Aachen|2 years ago|reply
The article implies that (probably for sensation), but I don't think this is what it means. I assume they got enough matches between these 14k customers to view some level of information on their relatives such as their name. Genetics being what they are (pretty stable between generations), that resulted in a ton of data being shown cumulatively
But that's just my reading, per my understanding of 23&M's business model. Maybe they did find a vulnerability that allowed actual account access, but that would be bigger news by itself and the article would be exceedingly likely to mention that explicitly
Edit: this other top-level comment seems to confirm that https://news.ycombinator.com/item?id=39116561
[+] [-] jefftk|2 years ago|reply
If someone gets access to my facebook account they can read anything my "friends" have marked as "friends-only". Lots of users want that kind of restricted sharing (both with Facebook and with 23andMe).
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] tcgv|2 years ago|reply
[+] [-] James_K|2 years ago|reply
[+] [-] avsteele|2 years ago|reply
What feature? Does 'gain access' here mean all the data you would have as if you logged in as that user? How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M/14K)
[+] [-] tzs|2 years ago|reply
If you opt in to finding DNA relatives then you essentially get a list of all your DNA relatives on 23andMe that have also opted in. DNA relative seems to be people who are 4th cousins or closer to you. For each you get a name and an approximate location.
> Does 'gain access' here mean all the data you would have as if you logged in as that user?
Yes.
> How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M/14K)
Data point: I have opted in. My DNA relatives list has just over 1500 other people on it.
[+] [-] lefixx|2 years ago|reply
I can see how you can get 14000 compromised accounts even though it sounds too much to me. Cant see how you can get info to so many related accounts. a 1 to 500 ratio.
But if it is true then there is a little blame for the costumers too.
[+] [-] padjo|2 years ago|reply
[+] [-] whiddershins|2 years ago|reply
[+] [-] bookofjoe|2 years ago|reply
At some point in the future — in our lifetimes — every newborn will have DNA taken and tested — and banked permanently.
You say "No way, over my dead body?"
>Kuwait: New Counterterror Law Sets Mandatory DNA Testing (2015)
https://www.hrw.org/news/2015/07/21/kuwait-new-counterterror...
>Kuwait: Court Strikes Down Draconian DNA Law (2017)
https://www.hrw.org/news/2017/10/17/kuwait-court-strikes-dow....
In the US, a blood sample is taken from all newborns to test for a panel of diseases that are treatable and cause serious problems if not treated within a few days after birth.
The sample is not taken by federal authorities, but by medical staff, usually before the infant goes home from the hospital. The individual states, rather than the Federal government, mandate the testing. The sample consists of a piece of paper with a few or several spots saturated with drops of blood. After testing, the samples are stored for a period of time determined by each individual state. In states where the samples are kept on file for an extended period, those blood spots could be considered a DNA sample.
[+] [-] ManBeardPc|2 years ago|reply
[+] [-] cowsandmilk|2 years ago|reply
This is similar to saying your Facebook account was hacked when one of your friends had their account compromised and the hacker had access to the information you share with friends.
[+] [-] Aachen|2 years ago|reply
It's not a bug, it's a feature! This person used it and shared the message they got from 23&M: https://news.ycombinator.com/item?id=39116561
Basically the find relatives "feature" let them expand the information base from 14k actually-compromised accounts to viewing some level of data on all their distant relatives
[+] [-] huseyinkeles|2 years ago|reply
I see that 23andMe could’ve forced MFA, or have a better brute force protection for sure but seems like 23andMe themselves didn’t breach any passwords at least.
[+] [-] ta8645|2 years ago|reply
For instance, police have been able to match DNA samples of an unknown perpetrator against these DNA services. Matches against their extended family (who have used the service) is enough to identify them, even though they've never been a customer. And while that's a good thing, the more general case is true for every one of us all. We're all represented in this DNA data to one degree or another, even if we've never used the service.
[+] [-] jefftk|2 years ago|reply
[+] [-] sersi|2 years ago|reply
I mean for the 14,000 accounts accessed with compromised login credentials, yes that's logical that it's their fault.
But what kind of feature would allow attackers to then get access to 7 million accounts from 14,000 compromised accounts? The article doesn't say and I can't imagine any feature that would allow that without being an egregious breach of security.
[+] [-] huseyinkeles|2 years ago|reply
[+] [-] michaelt|2 years ago|reply
I've never used 23andme myself, but as I understand it they have a 'relative finder' which finds people with similar DNA https://customercare.23andme.com/hc/en-us/articles/221689668... - it even offers some features that purport to show which segments of your genes overlap.
They also provide a predicted-and-editable-and-shareable family tree feature https://customercare.23andme.com/hc/en-us/articles/360036068...
At one point, I believe users were opted into this by default (a review from 2008 says this was the case) although at present I believe they require an explicit opt-in. But of course you can't find your relatives without opting in.
And users might well have thought they were sharing their data only with a handful of relatives, whose identities had been confirmed by DNA testing.
[+] [-] macspoofing|2 years ago|reply
The provider has a responsibility here as well - after all, a breach like this followed by the negative public fallout (and potential lawsuits) represents a risk to the business itself. There are things they could have done to mitigate this risk ... Like enforcing 2FA.
And they did mess up, and they know they messed up. Do you know how I know? Because they just started enforcing 2FA (and not in 2019) [1]
[1]https://blog.23andme.com/articles/enhanced-customer-security...
[+] [-] sumtechguy|2 years ago|reply
[+] [-] sschueller|2 years ago|reply
[+] [-] insickness|2 years ago|reply
[+] [-] that_guy_iain|2 years ago|reply
[+] [-] tiahura|2 years ago|reply
[+] [-] kseifried|2 years ago|reply
https://opensourcesecurity.io/2024/01/21/episode-412-blame-t...
TLDR there is a LOT 23andme could’ve done to prevent this. Around the same time BrickLink had a similar incident, but handled it perfectly.
There is a lot that these vendors can do to protect people, even if their password and username are exposed. Things like requiring email confirmation if you’re logging in from a new IP address. Things like using the haveibeenpwned database to ensure people use good passwords. When I reset my password at 23 and it allowed me to use passwords like Password1234567.
23andme continues to disappoint.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] shadowgovt|2 years ago|reply
I mean... Of course they ate trying to dodge extra punishment from California while trying to help customers. They can be doing both at the same time.
And as a legal argument, they may have a point. How precisely are they supposed to secure their architecture against recycled login credentials? Does California's law imply that you have to implement two-factor authentication? Seems like it would be a novel application of the law if that's the case.
[+] [-] dzolob|2 years ago|reply
I know this is not 23&me’s case, and sure, the front door keys weren’t stolen from them, but they allowed the whole museum to be robbed without triggering one alarm. If a bad actor gained access to my account, he/she would still need my device to deobfuscate card info or make transactions.
I mean, it’s a solved problem!
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] erikson|2 years ago|reply
[+] [-] KeithAnderson57|2 years ago|reply
[deleted]