12mo ago

23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits

www.wired.com 23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits

Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits::Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

27 comments

They're not wrong, this is because of users re-using passwords and an unrelated hacked database being used to brute-force access to 23andMe by checking to see if users re-used passwords. Shocker, they did.
I'll ask a question: What is a security system supposed to do when provided with the correct login credentials?
Hopefully it will inspire more companies to force 2FA, like 23andMe is doing now. That's honestly the biggest part that is their own fault, not forcing MFA from the get-go on their customer base.
- The real issue was the DNA Relatives feature, which allowed information to be shared with other users in the platform. From this TechCrunch article
  by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked
  There are 6.9 million people who could have been using 2FA and unique passwords, and their personal information was scrapped just because of 14k accounts which were reusing passwords.
  
  This data of 6.9M users was not private anyways after these users opted into the program. It's really not a leak.
  
  If I give my credit card to my sister, and she drops it, that's not MasterCard's fault. If they were very concerned, they should've made sure their relatives were trustworthy.
  
  DNA Relatives was an opt-in program, so you had to choose to share your data. To their knowledge, they were data-sharing with their relatives.
  Once again, what is a system supposed to do when given the correct login credentials?
  Because this is normal behavior when logged in with correct credentials.
- There are some pretty basic things you can do to stop brute force attacks like putting a limit on failed login attempts which 23andme did not have. The issue is that those accounts almost certainly had multiple failed login attempts from places that should have flagged the login.
  You ask what a security system is supposed to do when provided with the correct login. That is just the beginning of basic security. If someone consistently logs in from an IP address in one region and then all of a sudden has a couple failed logins from Russia and also one successful one from there, would you say a good security system shouldn't flag that? If a bank allowed your debit card to be used in a country you have never been to before when you seem to have just used it where you normally do, would you be fine with them not freezing your card?
  As for MFA, last I checked, they still did not require it. It was recommended but not required.
  And let's not forget that they changed the terms of service so you could not sue over shit like this in the future. You had 60 days to reject the new terms of service which you did by sending an email. The email address in the emailed instructions was different than the one in the legal document that was attached.
  
  My understanding is that the failed logins where properly locked out like you describe. Passwords were leaked from other sites, so it was people reusing passwords that allowed the beach into 23 and me. Sounds like the users' fault to me.
  
  The guy said brute force but meant credential stuffing.
  Basically using an army of remote compromised devices to use known user name password combinations. If they used the same email and password that was found on another compromise, then their account would successfully be logged in first try from a unique ip each time.
- I'm downvoting you even though I believe the users are negligent and partially to blame here. However, does the site not lock log in attempts after the first 10 login attempts or something? At this point, something so sensitive like ancestry and health information should be mfa required at the bare minimum a phone number 2fa would help a bit.
  
  Not sure of this specific case, but typical brute force attacks are done locally on the database that was acquired from the breach, not on the site itself. This way lockouts aren’t an issue.
  
  However, does the site not lock log in attempts after the first 10 login attempts or something?
  They had accurate credentials. They didn't hit a login wall because people were re-using their passwords. They hit a login-wall for people who didn't re-use their passwords. They got accurate credentials from an unrelated hack, from people re-using passwords. How many times does a system "block" you when you have the right username and password the first time?? Zero, I'm pretty fucksure.
  (Also, it's usually more like three attempts.)
  I am very confused at what people think computers are supposed to do when given the correct login information? The point of login information is to prove who you are. If you have the correct information, the computer cannot know who is behind the keyboard.
  At this point, something so sensitive like ancestry and health information should be mfa required at the bare minimum a phone number 2fa would help a bit.
  On this point, I agree. 23andMe seems to now as well, considering they just rolled out required MFA for all their users. However, we live in a world basically zero data privacy laws in the US. The US can't even fucking pass a budget, so good luck waiting on privacy laws. You want that kind of consideration, you gotta move to Europe.
  Like 23andMe, companies don't really care until something has already happened, since there isn't legislation forcing them to care.
  Finally, phone 2FA is garbage that can be intercepted. It shouldn't be used. The fact that it's still the default means this won't be the end of data breaches. People need to embrace security keys like YubiKey.
- Right, and what about the people who didn't reuse passwords whose information was stolen?
  Just fuck them?
  Did you think about this at all before you typed out that ridiculous comment?
- You can also monitor your system for known compromised credentials and expire them. Not foolproof but it catches the low hanging fruit.
- What is a security system supposed to do when provided with the correct login credentials?
  I'm gonna go with not give that user access to millions of other users' personal information...
  I get your point and agree, but having a valid login shouldn't provide that kind of access.
  
  What? Unless I missed something, it gave access to individual accounts not master access?
- I mostly agree. One thing they could have done to mitigate some of it is bar the user from creating a password that is one of the most commonly used 1 million passwords, or 10,000, etc to mitigate users using commonly used passwords that they might have used elsewhere.
  Most commonly used password lists: https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials

Does 23andMe even have 2FA?

27 comments