Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • @TheEighthDoctor
    link
    English
    1911 months ago

    And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.

    If you are reusing creds you should expect to be compromised pretty easily.

    • Max-P
      link
      fedilink
      English
      31
      edit-2
      11 months ago

      A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem.

      Edit: so people stop asking, here’s their docs on DNA relatives: https://customercare.23andme.com/hc/en-us/articles/212170838

      Showing your genetic ancestry results makes select information available to your matches in DNA Relatives

      It clearly says select information, which one could reasonably assume is protecting of your privacy. All the reports seem to imply the hackers got access to much more than just the couple fun numbers the UI shows you.

      At minimum I hold them responsible for not thinking this feature through enough that it could be used for racial profiling. That’s the equivalent of being searchable on Facebook but they didn’t think to not make your email, location and phone number available to everyone who searches for you. I want to be discoverable by my friends and family but I’m not intending to make more than my name and picture available.

      • @givesomefucks
        link
        English
        17
        edit-2
        11 months ago

        A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem

        I mean…

        You volunteered to share your info with that person.

        And that person reused a email/password that was compromised.

        How can 23andme prevent that?

        It sucks, but it’s the fault of your relative that you entrusted with access to your information.

        No different than if you handed them a hardcopy and they left it on the table of McDonald’s .

        Quick edit:

        It sounds like you think your account would be compromised, that’s not what happened. Only info you shared with the compromised relative becomes compromised. They don’t magically get your password.

        But you still choose to make it accessible to that relatives account by accepting their request to share

          • Zoolander
            link
            English
            611 months ago

            No.

            See… it’s that easy.

            • @[email protected]
              link
              fedilink
              English
              111 months ago

              Ok, who else would be able to give me your personal information. I’ll go get it from them instead.

              • Zoolander
                link
                English
                611 months ago

                Your mom has my contact information. You can ask her.

                /pwn3d.

                • @[email protected]
                  link
                  fedilink
                  English
                  -611 months ago

                  Oh, so you’re actually not consenting to have some personal information you’ve given to family given to me as well? Odd, you sure seemed ok when it was people having their information snagged from 23andMe.

                  • Zoolander
                    link
                    English
                    311 months ago

                    No, but I didn’t consent to give that info to family either. If I was worried about my data getting in the hands of strangers, I wouldn’t have shared it with strangers which is what happened here. Unless you count a 4th cousin that you’ve never met “family”, why would you give them access to your data?

              • capital
                link
                English
                211 months ago

                And that’s exactly how the attackers got in in the first place lol.

                The ding dongs used the same creds elsewhere which were leaked.

      • Zoolander
        link
        English
        1311 months ago

        I doesn’t. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member’s account and their account getting accessed because their banking password was “Password1” or their PIN was “1234”.

      • @[email protected]
        link
        fedilink
        English
        1311 months ago

        Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe’s response is what to expect since companies will never put their customers safety ahead of their profits.

      • @douglasg14b
        link
        English
        1011 months ago

        So if you enabled a setting that is opt-in only that allows sharing data between accounts and you are surprised that data was shared between accounts how is that not your fault?

      • Eager Eagle
        link
        English
        911 months ago

        afaik there was no breach of private data, only the kind of data shared to find relatives, which is opt-in and obviously not private to anyone who has seen how this service works. In other words, the only data “leaked” was the kind of data that was already shared with other 23andMe users.

        • Hegar
          link
          fedilink
          -211 months ago

          Name, sex and ancestry were sold on the dark web, that’s a breach of private data.

          The feature that lets a hacker see 500 other people’s personal information when they hack an account is obviously a massive security risk. Especially if you run a single use service - no one updates their password on a site they don’t use anymore.

          Launching the feature in the first place made this inevitable.

          • Eager Eagle
            link
            English
            3
            edit-2
            11 months ago

            Name, sex and ancestry were sold on the dark web, that’s a breach of private data.

            It would be a breach if the data was private, but the feature itself exposes this data. That would be like presenting a concert to hundreds of people then complaining your facial attributes were leaked in social media.

      • @TORFdot0
        link
        English
        811 months ago

        You shouldn’t have shared your information with someone who is untrustworthy then. Data sharing is opt-in.

        • Hegar
          link
          fedilink
          -111 months ago

          Credential stuffing attacks will always yield results on a single use website because no one changes passwords on a site they don’t use anymore.

          Launching a feature that enables an inevitable attack to access 500 other people’s info is very clearly the fault of the company who launched the feature.

      • capital
        link
        English
        611 months ago

        How do you and the surprising number of people who upvoted you want options on websites to work?

        These people opted into information sharing.

        When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

        Wtf?

      • @AbouBenAdhem
        link
        English
        5
        edit-2
        11 months ago

        Even if you didn’t reuse a compromised password yourself, the fact that your relatives did indicates that you’re genetically predisposed to bad security practices. /s

      • @jimbo
        link
        English
        2
        edit-2
        10 months ago

        deleted by creator

    • @rockSlayer
      link
      English
      -2
      edit-2
      11 months ago

      Is it also the User’s fault for the 6,898,600 people that didn’t reuse a password and were still breached?

      • @[email protected]
        link
        fedilink
        English
        811 months ago

        Yes, because you have to choose to share that data with other people. 23andMe isn’t responsible if grandma uses the same password for every site.

        • @rockSlayer
          link
          English
          -311 months ago

          23andMe is responsible for sandboxing that data, however. Which they obviously didn’t do.

            • @rockSlayer
              link
              English
              011 months ago

              You opt in to share your data with Facebook. Would you still consider it an issue if your data was breached because someone else’s account was hacked?

              • @[email protected]
                link
                fedilink
                English
                411 months ago

                I would consider normal that my photos that I only share with some people were leaked if one of those people’s accounts got hacked.

              • @jimbo
                link
                English
                2
                edit-2
                10 months ago

                deleted by creator

              • JohnEdwa
                link
                fedilink
                English
                1
                edit-2
                11 months ago

                If you share your nudes with the “friends only” privacy settings on facebook, and someone else accesses one of your friends accounts because they reused their password and proceeds to leak those photos, is it the fault of Facebook, your friend, the person leaking them, or you?

                Because that is exactly what happened here. Credit stuffing reused passwords and scraping opt-in “friends only” shared data between accounts.

                • @rockSlayer
                  link
                  English
                  011 months ago

                  Private health data was compromised as well, on a smaller scale. It doesn’t make sense to blame users for a security breach of a corporation, literally ever. That’s my point. The friend was dumb, and you shared something maybe you shouldn’t have. But that doesn’t also absolve the company of poor security practices. I very strongly doubt that 14,000 people knew or consciously chose to directly share with a collective 7 million people.

                  • JohnEdwa
                    link
                    fedilink
                    English
                    3
                    edit-2
                    11 months ago

                    But they did. All 7 million of them - that’s why their data was visible for those 14000.

                    As it says in the article:

                    From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

                    Here’s what each and every one of those 7 million people opted in and agreed to:

                    https://customercare.23andme.com/hc/en-us/articles/115004659068-DNA-Relatives-The-Genetic-Relative-Basics

          • @[email protected]
            link
            fedilink
            English
            411 months ago

            Did you not read my comment? Users opt in to sharing data with other accounts, which means if one account is compromised, then every account that allowed them access would have their data compromised too. That’s not on the company, because they feature can’t work without allowing access.

      • Zoolander
        link
        English
        611 months ago

        They weren’t breached. The data they willingly shared with the compromised accounts was available to the people that compromised them.

        • @SpaceNoodle
          link
          English
          -611 months ago

          Pretty sure nobody clicked a button that said “share my data with compromised accounts.”

          • Zoolander
            link
            English
            411 months ago

            There was a button that said “share my data with this account”. If that person went and shared that info publicly, how is that any different? The accounts accessed with accessed with valid credentials through the normal login process. They weren’t “breached” or “hacked”.