23andMe tells victims it's their fault that their data was breached | TechCrunch

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

1. 23andMe was not hacked or breached.
2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
5. All compromised accounts did not have MFA enabled.
6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
7. No data that wasn't opted into was shared.
8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

Blaming your customers is definitely a strategy. It's not a good one, but it is a strategy.

BRB deleting my 23AndMe account

OP spreading disinformation.

Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.

Users cry about the consequences of their bad passwords.

Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves

23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users

I'm honestly asking what the impact to the users is from this breach. Wasn't 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?

Reusing credentials is their fault. Sure, 23&me should've done better, but someone was likely to get fucked, and if you're using the same password everywhere it is objectively your fault. Get a password manager, don't make the key the same compromised password, and stop being stupid.

“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

Bro just don't have DNA.

They're right. It the customer's fault for giving them the data in the first place.

https://haveibeenpwned.com/

Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don't reuse passwords.

Permanently Deleted

Giving your genetic info to them is the first mistake

And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.

If you are reusing creds you should expect to be compromised pretty easily.

Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn't exactly how genetics work is done.

Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn't sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.

Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.

I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.

Lmfao what? I can’t wait to watch this play out…

I wonder if they can identify a genetic predisposition that these patients had that made them more prone to compromising their passwords? And then if so, was it REALLY their fault?

I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.

This is the best summary I could come up with:

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.

The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords.

23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.

Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving,” and “a desperate attempt” to protect itself and deter customers from going after the company.

The original article contains 721 words, the summary contains 184 words. Saved 74%. I'm a bot and I'm open source!

From the article:

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

That headline sounds to me like them claiming "Y'all're a bunch of eejits for usin' our service!"

To which I'd say "Yeah sure, I'm certain that would hold up in court" with the biggest eye roll you could imagine

I knew better than to give thee companies my DNA but of course I've had family give it to them. I suppose if I was wanted for an unsolved murder I'd be a bit concerned, but I'm still not happy that anyone's DNA is compromised that I'm associated with.

The question to me is what's the play with that data. I'd assume they would have a use for it if they went to the trouble of stealing it. I suspect in the future this will be lucrative data, but what's the play right now??

Company involved in a data breach try not to blame customers challenge (impossible)

In a way, it kind of is their fault for trusting companies like this in the first place. I'd never consider using companies like this and both think and hope none of my family members would either.

Obviously, the breach is the company being incompetent like many companies are when it comes to security.

This video comes to mind. https://youtu.be/ESzxGYDkwG8?feature=shared

Why anyone would ever trust somebody else with their DNA data is beyond me.

23andMe blames its breach on customers for reusing passwords.

Why was 23andMe not requiring MFA?

Well, they have a point.

This is at least partly true. If you reuse the same information, you should expect to get pwned

It is, it's their fault for sending their data to some company that wants your DNA. I'm curious too, but i'm not that dumb.

"It's your fault that our poor security practices allowed hackers to get your data, maybe you shouldn't have given us your DNA in the first place!" - 23andMe

If you are dumb enough to send your DNA to a company that keeps it in a database forever, and often shares it with governments to make relationship maps and population control, you deserve everything.

Wow, am I glad nobody in my family has used this whack service!

Who's up for an old skool loic session against this bunch of clowns lol 🤣 🤣 🤣

Imagine giving your DNA data to a Jewish company