23andMe says it’s not a breach—just credential stuffing. I’m not so sure.
Hackers claim to have the DNA of 20 million people, stolen from the genetic testing company 23andMe (NASDAQ:ME). The firm’s PR spin implies it’s the users’ fault for not using unique passwords—but is that fair?
No, of course it isn’t. In today’s SB Blogwatch, we blame the company for not preventing this huge leak.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jellohead.
DNA: Do Not Agree
What’s the craic? Bill Toulas broke the story—“23andMe says user data stolen”:
“Recycled login credentials”
23andMe has confirmed … user data from its platform [is] circulating on hacker forums. … 23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.
…
A 23andMe spokesperson confirmed … the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data: … “We do not have any indication … there has been a data security incident within our systems. … Rather, the preliminary results … suggest that the login credentials used in these access attempts may have been gathered … during incidents involving other online platforms, where users have recycled login credentials.”
Really though? It seems like a pretty huge leak for a mere credential stuffing attack. Hey, Lily Hay Newman? “23andMe User Data Stolen”:
“DNA Relatives”
Attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives.
…
A spokesperson for the company [said] the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed … the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.
But not a “breach”—in the sense that 23andMe wasn’t hacked? somsak2 rejects the company PR spin:
23andMe should have done better here. Why are you letting people log into an account from a brand-new IP with no additional verification? You have their email, you could have at least done 2FA with that.
…
CAPTCHA would have also made this slower / more expensive. At my employer, we use both. … For such a mature business (that is publicly-traded, no less) it is shameful to allow credential stuffing on the scale of millions of accounts.
Federal GDPR now? u/Aurongel wishes it were so:
As someone who works in cybersecurity, it’s appalling how little energy there is in the United States for a GDPR equivalent here. Our solution to this is an extremely fragmented approach that will always leave gaps and holes.
…
The power and moral implications of harnessing private user data is a nebulous topic that is impossible to sell to American voters who are already preoccupied with divisive culture war nonsense. … In 50 years I think we’ll retrospectively view this period as an immoral corporate rush on private information that enriched a few powerful entities at the expense of private citizens.
If only someone had warned us! Ahem, Caroline Orr Bueno clears her throat ostentatiously:
This follows several years of warnings about the potential vulnerabilities and risks associated with direct to consumer genetic testing companies like 23andMe. In 2019, for example, the Pentagon sounded the alarm over home DNA kits, citing concerns that “outside parties are exploiting the use of genetic materials for questionable purposes,” including mass surveillance & unauthorized tracking.
Let the victim blaming begin. A slightly sarcastic Rosco P. Coltrane pictures the scene:
“Hey! I’m gonna ask this US company to analyze my DNA! It’s totally safe because companies today are not at all known for violating people’s privacy and monetizing people’s data. And it’s not like DNA is your most intimate dataset. And US companies specifically are not at all known for collaborating with overreaching law enforcement and barely constitutional state agencies.”
…
Why would anybody send 23andMe their DNA? … Why anybody with any sense of self-preservation would send their DNA to be analyzed by a private US for-profit is totally beyond me.
Happy you didn’t use 23andMe? TedDoesntTalk is glad of their tinfoil hat:
Glad I used 23andMe with a fake name and UPS PO Box [and] prepaid Visa that I bought with cash at the supermarket. It’s a lot of work but it worked.
Perhaps you’re a victim even if you didn’t use it? Here’s an insightful u/tektite:
I would never use the service, but both my parents have so it’s a moot point.
Meanwhile, zeiche spots something missing from the PR spin:
Just one question: All I want to know is if 23andMe takes their customers’ privacy seriously.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: thavis.com (via Unsplash; leveled and cropped)
Recent Articles By Author
Richi Jennings 23andMe, Compromised Credential, compromised credentials, compromised credentials monitoring, Credential Compromise, Credential Management and Enforcement for ICS/SCADA environments, credential replay attacks, credential reuse, credential stuffing, credential stuffing attack, Credential Stuffing Attacks, DEVOPS, DevSecOps, DNA, GDPR, iam, password reuse, pii, PII Leakage, SB Blogwatch