In this blog post I talked about what we had talked about via Throwback on that week’s show as well as bringing up two articles about the company possibly getting owned.
In a more recent post this month, we found 23andMe admits hackers accessed 6.9 million users’ DNA Relatives data – The Verge which means that this will get quite interesting.
5.8 million of them belong to the service that allowed to see who belonged to who while the rest were just credential stuffed.
This can’t be overstated on why it is a bad idea to use passwords on different sites that are the same.
23 and me continues to state that they themselves were not breached, and affected users are now being notified.
I would read the latest article to see what you need to know.
Please stay safe. Let’s break down several paragraphs of the article. We did leave other parts out, so read the full article by its link.
23andMe confirmed that a recent breach leaked data belonging to 6.9 million users. In an emailed statement to The Verge, company spokesperson Andy Kill says the breach affected around 5.5 million users who had DNA Relatives enabled, a feature that matches users with similar genetic makeups, while an additional 1.4 million people had their family tree profiles accessed.
Skipping some parts of the article, one paragraph states:
“We still do not have any indication that there has been a data security incident within our systems”
This might be good news, but you’re two months in to this investigation, yet we really still don’t know much.
The first public signs of trouble appeared in October when 23andMe confirmed user information was up for sale on the dark web. The genetic testing site later said it was investigating a hacker’s claims that they leaked 4 million genetic profiles from people in Great Britain and “the wealthiest people living in the U.S. and Western Europe.”
And? How do you actually know they’re wealthy or not? That’s very interesting I must say.
To add insult to injury:
The 5.5 million DNA Relatives profiles leaked included users who weren’t a part of the initial credential stuffing attack. The data revealed includes things like display names, predicted relationships with others, the amount of DNA users share with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more.
So … what the hell does this mean? That data could only be accessed if the systems were accessed, especially to get something like a display name. This is not making sense.
The article continues:
The remaining 1.4 million users who also participated in the DNA Relatives feature had their family tree profiles accessed. This feature similarly includes display names, relationship labels, birth year, and self-reported locations. It doesn’t include the percentage of DNA shared with potential relatives on the site or matching DNA segments.23andMe says it’s still in the process of notifying users affected by the breach. It has also started warning users to reset their passwords and now requires two-step verification for new and existing users, which previously was optional.
Question. With that last paragraph, how the hell could you not have anything but two-factor authentication turned on as part of your service? This is a very sensitive service in my opinion. You send this company DNA samples so they could find relatives and other people similar to you that might be related in some way. I just don’t understand why this was “optional” (in quotes) before and now you’re requiring it.
This is just a boggling story, and I’m sure we’re going to learn more. Stay tuned, folks!
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.