I do not reuse passwords, and from what I understand, my account was not accessed directly. The message they sent me was:
"After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor."
So there's nothing I could have done with password security that would have prevented this; my only mistake was using a feature of their site.
I understand you couldn't have done anything, but on the other hand, could they have?
My understanding is that the people that were breached were breached outside 23andMe, and their credentials were simply used to log into 23andMe. Not attachking you or anything but haven't you opted in to sharing potentially sensitive information to people you don't know, basically making this information as secure as these people's accounts are? Or, for that matter, as secure as these people are?
Perhaps they could highlight that a bit more (I wouldn't think of that probably if I used this feature). But that's just as much "just" a mistake as "just using a feature".
Using a service like Have I Been Pwned, could companies like 23andMe proactively invalidate credentials that are known to be leaked? The next time those customers try to log in, they're forced to update their credentials through something like an email-based password reset?
Yes, this is exactly what could have been (and in my opinion, should have been) done to prevent this kind of "credential stuffing" attack. By taking known corpus of exposed passwords and comparing the hashed values against existing user password hashes, the company could have proactively locked accounts and forced password resets for users who had previously chosen weak passwords, and prevented new weak passwords from being chosen as well. This is quickly becoming an industry standard practice, and 23andMe likely knows that and is trying to make the argument that it's not their problem and has nothing to do with them (wrong).
They could have mandated stronger security. Wouldn't even 2FA have avoided this issue? Or even some even stronger measures like enforcing use of hardware security keys.
By default, we should offer a choice for levels of security. At least a password, with SMS or 2FA. And if the company makes a few bucks, even more options.
You are correct, I did opt in. I'm not particularly concerned about the security of this data or this breach. But in the context of all this finger-pointing, I thought it was important to point out that 23andme saying "it's your fault for misusing passwords" is a little disingenuous. I was taking some poetic license with "mistake": I don't consider it a mistake, I willingly chose to share that information. My point was that the only way they can blame me for having my information leaked is to blame me for using their product as advertised.
What exactly does the feature do? Share (some of?) your data with people you seem to be related to? If that data is sensitive, it seems a pretty risky thing to share even with relatives who you know quite well.
It shares some information that you optionally choose to share (genealogical data like where your ancestors are from, family names, etc., and which segments of DNA match).
One thing reading Hacker News has made clear is that people have wildly differing opinions of what "sensitive" and "risky" mean.
I had a similar situation back when Adobe lost their database.
I have a personal domain with a catch all configured. So back then I would just give a name like adobe.com@<personal-domain>.
When they leaked my password I contacted their support and they flatly told me that's not them who lost the password, even though evidently the mail itself was tailored specifically for Adobe.
It is likely the support was told to follow a script when a concerned client contacts them and there is no way they are going to tell you anything else regardless of the specifics of your case or how absurd their arguments are.
Turns out that people who were saying that these kinds of services are going to give access to Government actors, sell their databases or just have them hacked/stolen by malicious actors because of garbage security were, in fact, correct. Color me not surprised.
If you think that governments are not already building gene pools of their populations, I can color you a hip shade of naive, too, if you consent of course.
Many nations have public gene banks. These banks contain many indigenous organisms' gene sequences as well as anonymized gene sequences from people from their respective countries, which is used for national and international medical research. These gene banks exchange information regularly. One of the most public ones is US' own NIH GenBank [0].
A small search surfaces a lot of gene banks which store human and non-human DNA. Use your favorite search engine for this.
Generally submissions are done with patients' consent, but I'm not very sure that some of the blood samples are directed to national private databases for countries' own use and research.
The reasons doesn't have to be nefarious. Knowing your population's genetic weaknesses is a good way to defend it, and having access to a wide pool allows a deeper understanding of genetic conditions and how genetic therapies are working.
Also, earlier comments than mine already cited how law enforcement in US is already using this as evidence.
I'm an ordinary person. I don't have access to more information than you do.
That's crazy that US law enforcement is storing genetic data about people they arrest. I understand that governments would store the data with consent from people, but without consent is not great...
I’m not the person you’re responding to but their claim doesn’t seem so contentious.
> Which governments are you referring to?
Any that has an intelligence service. (And probably most others too.)
> And how are they doing this?
They get the data from breaches like this or otherwise purchased from services like this.
> And how do you know of this?
I’d suspect less that they know and more that they have a reasonable suspicion. I personally have that suspicion because 1) it’s feasible and 2) governments would be interested in the data.
Isn’t it true that it’s already widely known that some US states (or the US itself; can’t remember details) stores DNA of anyone ever booked by the police even if not charged or charged and acquitted?
Just because something ended up being right doesn't mean it was intelligent. Things don't work in absolute, most things are a bet.
If one outcome is 99% likely and the other 1%, the intelligent thing is choosing the 99% likelihood, but that still means that sometimes the person making the bad choice was right.
That doesn't make them intelligent, it makes them lucky.
Cynicism is a general distrust in other people’s motives. How does one conclude that distrust expressed in a single event constitutes general distrust? Don’t we need many more examples of distrust from this person before branding them as cynical?
Cynicism is often a coping mechanism for people that have seen too many such events happen. It's actually only a problem when it guides choices from decision makers ahead of time, there's nothing wrong with some cynicism as long as it doesn't guide your actions.
Sadly, I have to agree. The amount of convincing I had to to try (and fail) to stop friends from using this specific website before the leak…
The sad thing is that it’s not necessarily about malice that you should be wary. Stuff like this is a risk too.
But yeah, I was a bit harsh, it’s true.
If somebody accesses a Facebook account; and uses it to view intentionally-shared information on 500 people connected to that person; is that Facebook's fault for having that feature?
It appears Hacker News consensus is "Yes", but... that feature IS Facebook; and to many many people, that feature IS "23andme".
Don't get me wrong - I don't have 23andme account; we are at an early age of DNA analysis and I'm supremely uncomfortable randomly giving my DNA and wide permissions to strangers for perpetuity. I've tried to give same perspective to friends and family, with limited success.
I also don't particularly care about geneaology either, yet goodness gracious a lot of people really really do and they get giddy and excited when they find some 'match' on DNA sites :).
But it does rather seem that external actors used credentials obtained elsewhere, to access a core "social-network-like" feature of 23andme, that users eagerly opted in (again, I wouldn't have, but I'm a weirdo:).
I don't understand what 23andme's real fault is, other than existing, and allowing users to willingly, consensually, in an informed manner do what they specifically chose to do. We all told our friends & family "hey don't share your DNA results and intimate details of your life with strangers and random new startups", but they repeatedly choose to do so anyway :(.
My reading suggests that this is the correct interpretation. And I think it actually crystallizes in the question of whether such services should be allowed to exist. To me it’s hard to argue that we should prevent people from creating and consensually engaging in these large-scale social platforms from an individual liberty perspective. However in aggregate they have so much power to disrupt people’s lives. How do you balance these issues?
If 23andMe is in the wrong here it seems to be because this entire approach of large scale social networks is wrong, and we must solve it at a regulatory level.
> If somebody accesses a Facebook account; and uses it to view intentionally-shared information on 500 people connected to that person; is that Facebook's fault for having that feature?
I am amazed at the depth of confusion data causes. And the amount of blame deflection that goes on.
Here is a medicine for clarity - imagine data is money, because it is. It’s your money, and someone is holding it for you, someone like a bank.
So the scenario is - a hacker fakes identity of 14,000 people and empties out the bank accounts. Bank does nothing to stop suspicious activity of a single customer pretending to be 14,000 and has poor authentication. whose fault is that?
>>imagine data is money, because it is. It’s your money, and someone is holding it for you, someone like a bank.
But it is not.
I'm not saying it SHOULD NOT be. But it is not, and such sentences perpetuate confusion rather than reduce it. Data is not "money" in general, and definitely not in this case in particular.
Banks have extreme regulatory framework within which they conduct their operations. There are checks (hah!) and balances and accountability and industry standard processes. This regulatory framework, and the formal backing and assurance by the government, is what gives me confidence to put my money there. Note some people's risk threshold is different and they go for cash or bitcoin instead - fair enough.
(Even so, there are situations even in banking where explicitly you are responsible for your data/money. E.g. a lot of wire services, if you grant somebody permission or you wire the wrong entity your money, that's on you.)
23andme does not fall under the same regulatory framework that banks do. It just, doesn't.
I might want and like it to be. Let's campaign for that change together! But it is not. People have given their data to a random new startup with limited regulatory and privacy framework, they have explicitly given that startup permissions to that data, and they have explicitly chosen to share that data with strangers on the quasi-social-network. Bluntly - I love my dad, but I definitely blame him for sending his data to this company despite my urge not to. This was the most predictable outcome in the world along long time scale.
If we are saying that it's 23andme's fault for existing and providing that service, and such services should be regulated, sure, I'll agree :).
But I also believe most news on this are also in the "depth of confusion" when it comes to the 7 million number and the chain of dependency/fault.
You are correct. Human nature seems to be to find a scapegoat. Holding 14,000 anonymous people culpable history doesn't feel as good as complaining about a single, visible entity - even an innocent one.
I finally got through to the women in my family by bringing up what the consequences of their choices to use this service could mean for their children (either currently existing or in the future). Maybe could try that route, seems to trigger concern more than when you're talking about themselves for some reason
Not the OP, and my advice is not specifically for a gender, but FWIW, I give similar advice: We don't know today how DNA data will be used in the future. 10 years from now, 20 years from now, this may be supremely normal, or we could be in massive dystopia of it used nefariously.
Sharing DNA with random startup private entities is not just a potential consequence for you, but also for anybody related to you, in the future, such as in particular your children.
And this is not theoretical for me - I explicitly do not want to be in this, I asked my immediate family to please consider the potential impact, and yet my dad enrolled and put my name in there. I now get to live with that decision.
(don't get me wrong, my dad and I are super close - but on this one thing, he, as most people, saw this as a lightweight decision with no consequence and some fun trivia, and did not share my perspective of it as a heavyweight, impactful decision with potentially long-lasting consequences)
"The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts, the company previously told Business Insider."
Okay, so first off no software team would be surprised to know that you have millions or tens of millions of customers and as many as 14k reused logins from elsewhere. Second, if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base you've made a terrible, terrible decision when adding features that allowed that.
Reused username/password pairs is a known challenge, and we should all be aware that our software will be used with compromised logins. Plan for that and don't assume that anyone with a login is both allowed in the door and not there for malicious reasons.
> if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base
The article implies that (probably for sensation), but I don't think this is what it means. I assume they got enough matches between these 14k customers to view some level of information on their relatives such as their name. Genetics being what they are (pretty stable between generations), that resulted in a ton of data being shown cumulatively
But that's just my reading, per my understanding of 23&M's business model. Maybe they did find a vulnerability that allowed actual account access, but that would be bigger news by itself and the article would be exceedingly likely to mention that explicitly
> if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base
If someone gets access to my facebook account they can read anything my "friends" have marked as "friends-only". Lots of users want that kind of restricted sharing (both with Facebook and with 23andMe).
Two factor authentication should be mandatory for services like 23andMe that hold such sensitive information (i.e. DNA tests). It would at least have reduced the wideness of the attack by protecting most of those 14k initial accounts that were used to leverage the 'relatives feature' vulnerability.
I was thinking this as well, but I'm still not sure 23andMe is to blame. Everyone who signed up to the site knowingly shared their information with accounts that were not 2FA protected. The service was unsafe but the question is weather or not the users should have known that. You can't sue the knife company if you cut yourself, after all.
The article is terrible. What are commenters even discussing without having additional context?
The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts, the company previously told Business Insider.
This is the only actual 'information' in the article. The rest is just finger pointing. But what does this mean?
What feature? Does 'gain access' here mean all the data you would have as if you logged in as that user? How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M/14K)
If you opt in to finding DNA relatives then you essentially get a list of all your DNA relatives on 23andMe that have also opted in. DNA relative seems to be people who are 4th cousins or closer to you. For each you get a name and an approximate location.
> Does 'gain access' here mean all the data you would have as if you logged in as that user?
Yes.
> How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M/14K)
Data point: I have opted in. My DNA relatives list has just over 1500 other people on it.
Sounds like the hackers used recycled logins to gain access to 14000 accounts and then for each account gained info about other related accounts.
I can see how you can get 14000 compromised accounts even though it sounds too much to me. Cant see how you can get info to so many related accounts. a 1 to 500 ratio.
But if it is true then there is a little blame for the costumers too.
Business insider is a trash publication. I wouldn’t waste my time reading it. Their content is always some combination of over stated, inaccurate or flat out made up.
In the US, a blood sample is taken from all newborns to test for a panel of diseases that are treatable and cause serious problems if not treated within a few days after birth.
The sample is not taken by federal authorities, but by medical staff, usually before the infant goes home from the hospital. The individual states, rather than the Federal government, mandate the testing. The sample consists of a piece of paper with a few or several spots saturated with drops of blood. After testing, the samples are stored for a period of time determined by each individual state. In states where the samples are kept on file for an extended period, those blood spots could be considered a DNA sample.
You could kind of argue that users that reuse passwords are responsible for leaking their own information. But how do they explain the remaining 7 million? Also they are suddenly able to enforce changing passwords and 2FA, so how do they want to claim they reasonably protected sensitive data before? If the 7 million users made their data public to other users that may explain a little bit, but I would assume the company would say so.
The 7 million made their data available to DNA relatives and were DNA relatives of the accounts with compromised passwords.
This is similar to saying your Facebook account was hacked when one of your friends had their account compromised and the hacker had access to the information you share with friends.
Basically the find relatives "feature" let them expand the information base from 14k actually-compromised accounts to viewing some level of data on all their distant relatives
From what I read, people got their credentials breached on some other websites. Hackers then somehow used those same credentials to log in to 23andMe.
I see that 23andMe could’ve forced MFA, or have a better brute force protection for sure but seems like 23andMe themselves didn’t breach any passwords at least.
This doesn't just affect 23andMe's customers. It affects every person who shares DNA with their customers.
For instance, police have been able to match DNA samples of an unknown perpetrator against these DNA services. Matches against their extended family (who have used the service) is enough to identify them, even though they've never been a customer. And while that's a good thing, the more general case is true for every one of us all. We're all represented in this DNA data to one degree or another, even if we've never used the service.
It sounds like you're under the impression that the data that was leaked for half the customer base was people's full genotype? Because the kind of matching that you're talking about here isn't possible on the coarse data that the attackers were able to leverage compromised accounts to access.
> The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company's user base, or about 7 million accounts
I mean for the 14,000 accounts accessed with compromised login credentials, yes that's logical that it's their fault.
But what kind of feature would allow attackers to then get access to 7 million accounts from 14,000 compromised accounts? The article doesn't say and I can't imagine any feature that would allow that without being an egregious breach of security.
When you are able to log in, you then see who are related to you as well. I believe the news sites use those inflated numbers to make it more dramatic.
They already release the 7 million people's data - to the same extent the hackers got it - to anyone who manages to upload a sufficiently similar genome. There's no additional data privacy concern in releasing it to hackers or Equifax or the FBI or 4chan or the Washington Post. 23andMe limit access to it for commercial reasons, not privacy ones.
But you only have one genome, so you will only ever see a very small subset of that 7 million (I’m assuming that’s how it works, I’ve never used the service). Now you have access to 7 million records at the same time, which is much more powerful in terms of what you can do with that data.
More powerful, but mostly you can do good things, like genealogical research, not bad things, like identity fraud or credit card theft (which you could do if you compromised the 7 million accounts individually).
It's better for the world that that kind of aggregate data is public where anyone can use it, rather than exploited by 23andMe or sold only through data brokers.
Ah, but then it's not like you get all of the data, just the names that are often fake anyway no? I mean I don't know anyone who used 23 and me under their real name.
You might be right but even my non-technical 50 years old friend who decided to use 23 and me with her sister to see if they shared the same father, did it with a fake name.
> But what kind of feature would allow attackers to then get access to 7 million accounts from 14,000 compromised accounts?
I've never used 23andme myself, but as I understand it they have a 'relative finder' which finds people with similar DNA https://customercare.23andme.com/hc/en-us/articles/221689668... - it even offers some features that purport to show which segments of your genes overlap.
At one point, I believe users were opted into this by default (a review from 2008 says this was the case) although at present I believe they require an explicit opt-in. But of course you can't find your relatives without opting in.
And users might well have thought they were sharing their data only with a handful of relatives, whose identities had been confirmed by DNA testing.
>I mean for the 14,000 accounts accessed with compromised login credentials, yes that's logical that it's their fault.
The provider has a responsibility here as well - after all, a breach like this followed by the negative public fallout (and potential lawsuits) represents a risk to the business itself. There are things they could have done to mitigate this risk ... Like enforcing 2FA.
And they did mess up, and they know they messed up. Do you know how I know? Because they just started enforcing 2FA (and not in 2019) [1]
That is a huge amount of data you can get at. You do not even have to be a 'nefarious hacker'. Just open a legit account sub your DNA and you have access to a lot of data. The way this company has framed the narrative around this interesting as 'those terrible hackers did this to you users'. Isnt the math something like go back 7 generations and everyone is related to everyone.
Wait does the article tell us they're not going to get spanked in a class action? No, it doesn't. Thanks for letting us know you're the guy who tries to be a smart-arse but fails.
TLDR there is a LOT 23andme could’ve done to prevent this. Around the same time BrickLink had a similar incident, but handled it perfectly.
There is a lot that these vendors can do to protect people, even if their password and username are exposed. Things like requiring email confirmation if you’re logging in from a new IP address. Things like using the haveibeenpwned database to ensure people use good passwords. When I reset my password at 23 and it allowed me to use passwords like Password1234567.
> One 23andMe customer impacted by the breach told TechCrunch that it's "appalling that 23andMe is attempting to hide from consequences instead of helping its customers."
I mean... Of course they ate trying to dodge extra punishment from California while trying to help customers. They can be doing both at the same time.
And as a legal argument, they may have a point. How precisely are they supposed to secure their architecture against recycled login credentials? Does California's law imply that you have to implement two-factor authentication? Seems like it would be a novel application of the law if that's the case.
This “it’s their fault for sharing information” is a terrible externality/unaccountability argument. As a company, you are responsible for the safety and privacy of all your direct and indirect users. I don’t have a facebook, but I’m in there for sure, and it’s the company’s responsibility to protect my privacy.
I know this is not 23&me’s case, and sure, the front door keys weren’t stolen from them, but they allowed the whole museum to be robbed without triggering one alarm. If a bad actor gained access to my account, he/she would still need my device to deobfuscate card info or make transactions.
If someone registers on my website with the same password as in LinkedIn, then LinkedIn gets hacked overmorrow, and the attacker then logs in with the correct password on my website, what should I have done to prevent that successful login to this user's account?
We can get angry and make jokes about 23&Me but I don't know what people would expect of me here; what solution I ought to implement as someone who runs several websites as hobby projects
This problem is also one of the reasons why I'd not recommend doing such a DNA test with a web service...
Edit: could I know why a moderator pinned this comment to the bottom? It got votes and was at the top for a few minutes, but now sorts below literally every other comment, also greyed-out ones and downvotes are starting to appear (maybe by association because it's at the bottom?). What should I have written differently to not get moderated away?
23-and-me could implement something like Troy Hunt's K-Anonymity API. The password is hashed, then the first n characters are sent to the API. The API then returns the count of times that password has appeared in data breaches. If the result is >0, the user's account is blocked until they've gone through a forgot password journey.
23-and-me could probably check if large numbers of people have all tried to sign in from common IP addresses within the space of a few hours. Even checking their login APIs for enormous spikes in unexpected traffic too.
The requirements for your hobby projects are different to that of 23-and-me, but you could potentially implement a similar feature too.
The password may not be known to HIBP at the time it is registered. This will very likely be a large enough fraction (>0.2%) that you can still get into sufficient accounts to access plenty of relatives' data.
> could probably check if large numbers of people have all tried to sign in from common IP addresses within the space of a few hours
>The password may not be known to HIBP at the time it is registered. This will very likely be a large enough fraction (>0.2%) that you can still get into sufficient accounts to access plenty of relatives' data.
To be clear, the password can be checked at login-time, rather than registration-time, at which point the service should send the user through an account recovery process. There's still scope for passwords not appearing in the HIBP dataset, but it's massively reduced.
Do you mean this link: https://news.ycombinator.com/item?id=39116531 ? I'm not sure I agree with your conclusion. You should be able to successfully highlight a unique IP address making ~4,400 discrete login attempts across a month as suspicious - and further highlight that there are 1,000 other IP addresses behaving in the same way. Most users login from a handfull of predictable IP addresses, and most IP addresses login with only a couple of predictable accounts.
These types of login analytics aren't beyond the ken of man, and a service like 23-and-me should definitely not be able to allow 4.4m attempts and 14k successes from a small set of IP addresses without it raising some internal alerts.
With CGNAT as in Italy or daily forced IP changes as in Germany, I'm not sure that it's true that most people log in from a predictable set of IP addresses. Perhaps one could indeed establish such a pattern in some countries like the Netherlands, and establish a set of ISPs per account for customers in other countries.
I must agree, though, about your point that 4k different logins from the same address in one month would be rather high for their customer base, so the limit could be lower if you allow enough bursting. What do you do after that, though, block them outright if you suspect a bot? That's going to block real users also. Give it captchas? Besides people also hating those, one can have someone in Bangladesh solve them if modern neural nets don't get the desired solve rate.
I guess the overall solution will have to be 2FA and, indeed, some long-term rate limit beyond which they'll have to give users captchas (to at least increase the cost of an attack), and some upper bound beyond which it gets outright blocked.
"You're logging in from a new device. Please check your email for a verification code."
"You're logging in from an unusual location. Please answer your security questions to continue."
"We've sent you a text message with a code which is valid for the next 10 minutes."
"Press OK on the 23andme app to continue."
"Please enter the code shown on your 2-factor device."
As a user, you can be blamed for poor password practices, but if you're running a service, it's basically a given that some percentage of your users are going to re-use passwords and it's your reponsibility to mitigate the fallout from that. If you don't enforce 2FA then you can check for unusual things about the login, such as change of IP address, browser, or device. Yes, it's not foolproof like 2FA, but it doesn't need to be foolproof to be useful.
I'm sure people would complain about most of those on privacy and/or antitrust grounds.
> "You're logging in from a new device. Please check your email for a verification code."
This site is keeping track of all the devices I use, which is not necessary to provide their service.
> "You're logging in from an unusual location. Please answer your security questions to continue."
They are also tracking my location, which is not necessary to provide their service.
> "We've sent you a text message with a code which is valid for the next 10 minutes."
They make me provide a phone number, which is not necessary to provide their service.
> "Press OK on the 23andme app to continue."
They have a perfectly good web site, yet they require me to use their proprietary app (which requires me to have an Apple or Android phone or tablet). This is not necessary to provide their service. They are probably getting paid by Apple and Google to try to force people to have they devices.
All of these quotes are saying to use 2FA (besides security questions, which are a horrible security measure: https://security.stackexchange.com/a/224271/10863). That sounds like a good suggestion, though it costs business because it adds friction. Maybe now that they need to save their reputation, and they're an established business with plenty of customers already, it makes sense for them to add, but a new entrant to the market would simply not do it and I'm not sure whether they can be fully blamed in a competitive market
Because I have no way to verify that you never reused or leaked your own password anywhere. And because your genetic data isn’t just your own. It is shared by your kids, your parents, your extended family.
I’ve never used 23andMe and yet I’m involved in this breach. How is that a fair shake?
How would you do this for historical accounts? 2FA needs to be set up by users. It has gone through multiple iterations over the past 2 decades and was not always standard practice. 23andme was founded in 2006.
Send out increasingly loud notices ahead of time, and try to come up with a secure recovery procedure for the many customers who will fail to react to them. It's not going to be cheap. But losing some kinds of data should be even more expensive.
The thing is, attackers don't need 20%. The article says they used 14k accounts with previously cracked passwords to uncover data of 7 million customers: that's 0.2%
Doing low-hanging fruit isn't enough here. Honestly I just don't feel like the time is right to build such big DNA databases yet. Maybe one day with quantum encryption (can't observe the state without modifying it) or whatever else we may figure out, but today it just seems like you're taking a risk for yourself and half a dozen layers of relatives
2. Send a postcard to the billing address where you signed up (verified against credit reports) with a one time verification code, upon which some second factor is set up. Maybe put 20 "rescue codes" on the postcard too, if you like.
3. Force user to enable some sort of second factor authentication on their next login.
I’ve had sites that do forced password resets and other annoying things when I come back after years.
23andme bears responsibility more than users like banks bear more responsibility for customers choosing stupid pins. DNA info is valuable they need to design good safeguards.
1. Find relatives you didn't know you had and inform them of the fact, perhaps destroying families by revealing long-concealed/previously unknown secrets
2. Identify DNA sequences and genes associated with various diseases, then contact you AND your relatives to advise seeing a doctor and consider using drugs made by the new owners of your genetic data
3. Sell your data to insurance companies who would pay plenty for early evidence of breast cancer likelihood or Huntington's Disease so they can avoid insuring you
Thinking that large companies are going to buy black market genetic data and deny your insurance is completely unhinged. Not only would they never do it because they would instantly get caught and sued into oblivion, the health insurance industry is actually incentivized against cutting medical costs because of the statutory maximum of 20% gross profit on premiums in the ACA.
Tiktok know what videos you have watched and liked which is all the targeting data they ever need. They don't need or want your genetics. And even if they did, better Tiktok targeting isn't something that would make me worry enough to not make my password "abcdef".
The genetic data could be sold to a third-party that exists outside of any regulations. 23andme allows download of raw data. So its not just genetic profile.
I hate this. I hate that 2fa is becoming mandatory for more and more services because people can't be arsed to keep their passwords secure. I hate having to look at my mail to copy a stupid code every time I log into a website. Please don't do this.
To try to answer my own question, I suppose they could try detecting elevated login rates. Let's do the math:
Getting a few thousand IP addresses for a month is cost-effective for any serious business (criminal or otherwise, but especially criminals that can buy botnet access). Spreading it out over a month, you could do 0.1 logins per minute to stay under the radar and get:
0.1 × 60 minutes × 24 hours × 30.4 days/month × 1000 IP addresses = 4.4 million login attempts
> The [attackers logged in] to around 14,000 accounts using previously compromised login credentials
14k is well below 4.4M. To get that number lower than 14k (assuming they only ever use 1000 IPs), you need to ensure each IP address stays below 0.07 logins per day. Even allowing some bursting (3 attempts on some of the days), that's going to block paying customers from logging in.
- They could have used HIBP to prevent people using exposed passwords
- They could have detected elevated authorizations
- They could have forced 2FA
- They could have implemented password stuffing protection
Any security assessment would have pointed that out. In fact, when I had my own site pentested the very first time, this was exactly what was pointed out and I promptly fixed it.
But it's all moot, since the attacker used a feature of 23andme to access data on other people whose account info they did not have. And that is squarely on 23andme.
- 2FA sounds like a good suggestion, but is bad for business so they'll never do it voluntarily (maybe now that they need to save their reputation)
- Isn't that the three above points combined? Or what does "credential stuffing protection" amount to?
---
> Any security assessment would have pointed that out.
I don't think you're familiar with security assessments
That's what I do for a living and we'd have recommended only the first one because it's a simple thing you can implement on the server. About 1 in 10 customers actually follows through on that hardening advice to some extent (e.g. by downloading a top 10k passwords list or adding zxcvbn), even fewer use a huge database like HIBP even though we recommend that.
We don't recommend 2FA for all users (only for administrative accounts) because clients never implement it. Adding suggestions that are seen as unrealistically paranoid makes the rest not being taken seriously anymore
We also don't buy a botnet and simulate credential stuffing attacks. Maybe we should, but then we'd need the customer to deploy not one staging system with two test accounts per permission level but thousands of accounts, and some way to simulate having thousands of residential IP addresses.
These things are not standard procedure and I haven't heard of any other pentest company requesting such a test setup (based on working together with other companies on one scope, chats at conferences, or looking at public pentest reports to see their setup or if they ever reported this finding)
> - Isn't that the three above points combined? Or what does "credential stuffing protection" amount to?
In our case, we track authentication attempts by IP, even successful authentications. If too many authentications come from the same IP in a short time, even over multiple accounts, we start throttling them first, then denying them. I'm in the B2B SaaS space. We know our customers, our typical load, and we have carved out exceptions for certain large clients with known IPs.
They have to know what normal access patterns look like, and if it looks unusual send confirmation magic links as well as look into what’s causing the unusual pattern, if anything.
The data they guard is up there with banking information except it’s impossible to restore privacy, unlike funds in a bank.
What features would you include in "look like"? Saying to just look at "normal behavior" is a bit like Intel saying they solved a problem with "algorithms and code" as an explanation
https://news.ycombinator.com/item?id=38856412
(261 points/20 days ago/371 comments)