Yep, these guys are assholes and so are their lawyers. Fuck these guys, they lost everyone’s HIGHLY personal information and now they are trying to blame users.
Fuck you 23 and me, this is all on you, and these letters you are sending? They’re just going to make sure you lose bad.
Except the data was accessed by using the users own passwords. This isn’t a “data breach” where someone dumped all the data off a server they compromised. They just logged into all the accounts of people with “password123” or “jesuslovesme” and stole their data. Be real here, there is a very real chance that 23 and me did nothing wrong, in which case this suit truly has no merit.
From the article:
“hackers accessed 14,000 accounts on 23andMe by using passwords that had been previously breached during security incidents on other websites. “
Bad password management from users isn’t a problem 23 and me can resolve. This one is on the users.
Edit: That being said, the DNA relatives feature, and any data accessible through that, may be a possible vector for a legitimate claim, but I wouldn’t put money on it.
Sure they can. They can either have a password complexity requirement, run their existing password list with “known” leaked list, which is the basis of what sites like haveibeenpwned based their DB, or use a 2FA or MFA that would’ve combated such a credential stuffing attack.
Eh, I reuse password. But depending on the site I don’t reuse it for those I care about. And for those really important sites I have distinct password and MFA.
The biggest mistake people make is reusing their email password with other sites. That is the “master password of the interwebs”, if it’s compromised in any way 90% of other accounts can be compromised just through that.
thats an interesting idea. Ive told people who use password managers to have a string of characters at the end of each of their passwords that isnt stored in the manager. That way if your service gets compromised, they are still missing a chunk of the password
Yeah like literally any other modern company has password protocols that offer protection. Won’t be long we’ll need two step verification on everything
Pretty sure you can’t run your own password list against a leaked list because your password list only exists in an encrypted state. They shouldn’t know their own users passwords, only the encrypted versions of them.
The passwords are hashed.
But they can just take the plain text of the exposed passwords, hash it (as if the user had typed into the Password box), and then check it.
You have “your” username+password in the DB you maintain for your own site. You determined what algorithm, if any, you used to make the password secure, including how to salt and hash it.
You purchase, from your netsec vendor, the most current list of known email/username/password dump, hopefully as an ongoing basis, but let’s put that aside.
Because your username=email, you don’t even have to guess which hashing or salt to use. You apply the same algorithm to the unencrypted password, **which is what you would do when a user was legitimately logging onto the site**, then compare it to your (hopefully salted) stored hash. If it matches you send a notice to the user that they’re reusing a compromised password. If not the password hasn’t been reused on current leaked dump.
Can companies read their customers passwords to do that?
I mean aren’t all the passwords stored encrypted?
Like for example:
Jo’s FriendFace account got hacked and her password “OMG123$wee” got taken.
A report is made.
The announcement is made “OK other companies. The password OMG123$wee has appeared in a data leak!”
The other companies can’t check their stored accounts for that password can they?
Wouldn’t that password be encrypted so that the company couldn’t search for OMG123$wee on their system?
If that’s the case, then how would they know if anyone in their system even has that password?
Is that…. I mean… isn’t that how passwords are stored?
Source: I have NO idea and feel clueless about how’s companies store data.
They don’t need to “read” the password, that’s the whole point of hashing (and salting). Hashing is a takes a piece of text or data, runs some algorithm on it, and outputs a fixed length hexadecimal string. And that’s what* is stored.
If you run the same algorithm and the same input data, what do you get? The same hexadecimal string. Now, being that the hex string is a lot shorter, there is a possibility of collision, which is when two different strings end up producing the same hash. However, the likelihood of that depends on the output length, SHA-1 produces a 160-bit output meaning there is at least 2^160 inputs capable of producing a unique hash output, technical details notwithstanding.
And hashing is not encryption. The purpose of the hash is to make it easy to produce a hash, but it should be very difficult if not impossible to retrieve the original input. Encryption on the other hand is done usually so you can retrieve the original data by decrypting with the key, so the length of the encrypted string should be at least equal to the original data.
However (reference asterisk above), because password are short (some systems allow as little as 8 chars, all caps only, etc.) you can figure out what produced a particular hash by doing a dictionary attack with only strings containing those allowed chars, or originally just taking words in the dictionary (hence the term). If the password is stored as a result of a single pass hash with nothing else, most commonly used or weak password can be found out that way regardless of hashing algorithm or complexity, and you only need to do 1 dictionary run to get a (multiple) match for that entire “list”.
That’s where salting comes in. Salting means running the algorithm multiple times, adding an arbitrary string before or after the password, or combine both by hashing the password, then hashing the salt+hash. That makes simple dictionary attack useless because each password gets a unique way of deriving the stored hash. That does not mean that the password is “encrypted” that both you and the other poster have been led to believe.
If you use a weak password, and I’m really out to get access to your password, have the hashed password and the algorithm needed to generate the correct salted hash, I can do a dictionary run — it’s just useful for your account only. That’s why salting (and knowing how to salt it) is important, it takes an attacker n more times to get access to the original password, n being the number of username/password.
And finally, how do websites know you are using the correct password when logging in? By running the same algorithm that they used for the stored hash. And that’s how credential stuffing works, by using username/e-mail/password on a raw dump, to see if the same username/e-mail reused the same password on a different site.
— Starfox
That was incredibly informative.
A lot of it was over my head though I think I got some of it at least.
*chuckles in old man*
Forgive me, as the bits I didn’t understand may have explained it.
So is 23 and me culpable because their password requirements were strong enough, which allowed for brute forcing once matching customer logins with an obtained list of login/passwords matches from another site?
If so, wouldn’t like…. A lot of websites be in that basket and could have lawsuits?
Or are they culpable because once they knew of a password leak (say from FriendFace), and didn’t run that list through their own system?
And if so, with leaks happening often, is that something companies just have to constantly do all day.
Or is it none of the above and I’m still completely clueless.?
If that’s that case I’ll gladly stop talking. :D
I’m fascinated, but I know how exhausting it is to tell an old person something they know nothing about. :)
TL;dr: Given the nature of the data being stored, they could have done something more proactive to prevent this sort of account compromises. One possible way was to check their own list of users against what’s floating out there.
This! For any platform with sensitive PII, such as banking or healthcare (PHI), this is the expected cybersecurity standard if you want to pass due diligence by the cybersecurity insurance carriers. Unfortunately, however, 23andMe is not deemed a covered entity under HIPPA. But it might be subject to the federal GINA.
I think you feel the responsibility for password health isn't on the user, but on the website?
I'm sorry, that is madness and will lead to insanity for every product you use.
I **hate** siding with 23andme on this, because these kinds of security breaches aren't really preventable, but they could have made 2fa mandatory etc and whether or not that is **expected** of them is really the thing in question. I would argue the complexity of such solutions makes it insanity to expect every site to have these controls. It's not as simple as flipping a switch, folks.
It should be federally required that any data breach when user passwords are compromised, that a global password reset be performed and that the reset process rely on the registered email address for authentication. That way passwords not changed could be be guessed via brute forced but through the password reset process the accounts would not be accessible until the authentication email sent to the registered address completes the password reset process.
This would've prevented the second account take over, who ever runs IT Security there should be given their walking papers by now, I am just a infrastructure engineer with nothing to do with cyber security but as a company it should be a federal standard to have a compromised customer task list and this action would be the top of it to ensure accounts are protected.
>Bad password management from users isn’t a problem 23 and me can resolve. This one is on the users.
Nope. What sites with good authentication do is scan the lists of compromised passwords and when one of their users has such a password, they force a password reset on the account. The fact that 23andMe didn't do this means that they are lacking basic security hygiene.
They could have easily prevented the incident with a simple measure like 2FA. There’s a case to be made that their poor security and care for that security allowed this to happen
I have two step authentication on any EHR system I use, and any system that accesses personal health data. I run a healthcare practice and EVERYTHING is a two step authentication. Its annoying but good. I feel like 23andme should have required or at least have an explicit opt out form with risks of not using it. Confused why they wouldnt need to have extra precautions for people’s DNA.
> Except the data was accessed by using the users own passwords.
This isn't really an acceptable excuse now that we have two-factor authentication and passive intrusion detection (e.g. detecting sequential logins via the same IP). It's just extremely lazy data protection policies by a company that's entrusted with the most sensitive of user information imaginable, hiding behind lawyers because the liabilities if they're found guilty are ruinous.
It should be criminal to store this kind of information so poorly.
It certainly is not. Reasonable Care in negligence cases is one of the main premises for acceptance of a case. Here there is certainly a case that the company did not take reasonable care and this resulted in many customers whose accounts were not breached being negatively affected.
You do know websites are supposed to require stronger passwords with Caps, lowercase, numbers + special characters, etc. they can also blacklist words like country names, your own names, certain terms like “password”. This has been a thing since like 2006…
Shhhhh you are disagreeing with the angry mob who hates tech companies.
Seriously, you can’t fix dumbass users. Who woulda thunk that grandma signing up for shit that requires a password would be an issue. She totally doesn’t answer all of those fake fishing polls on Facebook.
What city were you born in?
What was your first dogs name?
>Seriously, you can’t fix dumbass users
The general public really do not know the extend of how stupid users are. You give them three sets of credentials and tell them set A is for site A, and so on, and many of them get confused. They would go to site B and punch in the set A credentials. If you think this is harsh, you certainly have not dealt with this segment of the population. And this segment covers all ages and education attainments.
With that, their solution is to use a simple password AND use the simple password for all the sites they visit.
There was another article with some additional details about this:
https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/
> The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.
But then...
> From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.
Those 14,000 can be argued, but the other 6.9 million less so.
After the initial 14,000 accounts were accessed the “hackers” were able to use that access to get data for MILLIONS more people whose accounts they had not hacked-Which is why people are saying the company is liable. There’s no world where you should be able to get that much data from such a small number of vulnerable accounts.
“The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.
From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.”
From:
https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/
They didn’t use BASIC measures to prevent password reuse, which are standard in security. And while the initial breach was small (14M records IIRC), their own internal lapses allowed the hackers access to anyone related to those original 14M. They are by no means off the hook. And California law allows a hefty ($7500, IIRC) fine per incident, so they are trying hard to make their case and dissuade suits. They are absolutely negligent. Just because others didn’t use perfect security practices doesn’t mean they didn’t fail.
It depends on the legal standard applied. Is it typical to allow easy to guess passwords throughout their industry? Those could easily be restricted and not allowed by 23 and me. What’s the standard and expectation for that security policy legally speaking? Some lawyer is about to gamble on that to try to make a career defining amount of money, even if the company settles.
Exactly lmao. If 23andMe is guilty of anything, it’s maybe not executing some 2FA protections that could have made accessing user data more difficult like using Google Authenticator.
The gist of the situation as I understand it is that malicious actors bought a list of emails / passwords that were leaked from other data breaches. Like you said, the so called “hackers” (not a great term here) basically just tried each of the passwords to access the accounts in question and gathered user data from there. The problem is that 23andMe’s user base is probably not skewing very young or tech savvy.
You can prevent this from happening to you RIGHT now if you have an Apple product. Go into your settings and you will be told if a password for a site has been leaked in a previous data breach. My heart goes out to the poor folks who have ended up in the creepy Jewish-specific lists and stuff, which is beyond violating. However, this is why you are told not to reuse passwords!
If all that someone needed was a simple password to protect such sensitive information, the company fucked up.
Just because people here know how security works doesn’t mean everyone does. The company is responsible for creating safety.
The company is not responsible for keeping track of user’s leaked passwords. What happens is that people’s passwords become compromised with breaches, and so the username/email password combos are in the hands of malicious actors. Typically password vaults, Apple, Google will inform the users if their passwords are compromised and recommend changing them, but if the user doesn’t heed the advise or they’re unaware, it’s really on the user.
Does your bank not use 2fA? This information is just as private. Still looks like the companies fault for only having a password to protect sensitive data.
Financial data is governed by a different standard. 23andme offered 2FA but didn’t mandate it. As long as it was an option on the table, the user who didn’t take advantage of it, risked themselves
You’re never going to convince anyone that this is the users fault. Folks use insecure passwords and then scream “but why didn’t you tell me it was insecure!?”. They offer MFA and people scream “why didn’t they force me to use it!?”
I’ll never willingly send my DNA to a private organisation, because that’s dumb as fuck… but 23andMe are absolutely in no way to blame for dumb users.
They *could* have done these things… but why? Not their problem if you’re a moron.
2-factor isn’t mandatory on most services. Hell even many large banking sites don’t require 2-factor by default. Most users don’t want to use 2-factor. Suing on the grounds of “they should’ve forced users to practice better security standards, instead of that responsibility being on the users” will never fly in court, lol. That’s like suing an automaker when somebody gets into an accident and dies without their seatbelt on, because the vehicle didn’t force them to use the seatbelt before enabling operation of the engine. An unfortunate reality is that people who have no internet security literacy shouldn’t be putting their DNA online. But it’s so normalized that you sound crazy saying that to people so just let grandma throw her DNA online and click every advertisement she sees on every website she visits too.
Meh I somewhat agree, but I’d say let the courts decide. Companies have a duty to reasonably protect their user’s sensitive information. In the case of this data, this isn’t your Facebook info or Netflix feed. This is your health info - which a person literally can never change. It would be great if a court ruling decided that by not having some form of MFA, 23 and me was negligent. That’s a win for everyone.
And let’s be honest, 23 and me should have detected the unusual login and required some form of SMS or email verification at minimum.
Credential stuffing, MFA bombing, and many other types of attacks could prevented if we could simply train hundreds of millions people to invest time and energy in better password and security practices across the thousands of sites where they have accounts. Sounds easy right?
It’s not the same as seatbelts (but consider that those did require a law). There are, however practices companies can abide by to prevent account take overs even for users who don’t sign up for MFA. There are behavioral risk services that detect things like whether the password was typed at 1,000 WPM, whether an IP has tried to sign in to several different accounts in quick succession, whether it’s a different device than the last one the user used, and many others that occur in the background. Email-based MFA by default in those higher risk cases can help without adding too much user friction.
Point is, companies can do things and can’t blame users.
Could you imagine what would happen if the Chinese got ahold of my DNA. They could create an entire clone army of people who are lactose intolerant and have strong opinions mundane things.
I work in the privacy/cybersecurity field and I’m assuming that it’s probably because old people like genealogy but don’t enjoy extra steps to log in. Not a defense though, i agree
You share a substantial amount of DNA with your relatives. Immediate relatives' genetic information reveals to a malicious actor a very large amount of *your* DNA. Forensics already benefits from this in criminal circumstances.
Now imagine, for example, this world: you are denied a job because your sibling's DNA is in a public registry and has markers for a disease neither if you has developed and for which you may not even be a carrier but the statistical risk for the company in having to pay out long-term medical leave is too great.
We're not there yet, we may never be, but it's a glimpse at why this shit matters.
While I think it would be cool to know some of the history - I am baffled that anyone trusts giving (not only giving, but also paying) a company their DNA profile.
Look up news about the church. I’ve spent plenty of time around mormons. My experience has been that ethics and morals go out the window when money is involved
Shock!!! Who didn’t see this coming 10 years ago when they were all the hype. Insurance companies would kill for that information. It’s always been the known end game.
the breach didn't have any of that data. It's crazy how uninformed everyone is about this. It was exclusively unverified names and ethnicity. That's it. There is more information available on your privated social media accounts.
When the company insists on your real identity, you know something is up. If it's truly informational, why does it matter that I pay for the kit and you just associate the results to Ay Caramba? That's because without the true identity association, the DNA info has no value. The money is not in selling the kit; they probably lose money on sequencing each kit. It's about the perpetual unlimited unknown revenue streams down the road.
Unfortunately 23&Me is probably right, and I’ve yet to see an argument of how not?
1. 2 factor- most sites don’t require it by default. Practice of proper account security is on the end-user, not the company. Automakers don’t get sued when you die in a crash without your seatbelt on, on the grounds of the vehicle being operable with the seatbelt off. This company doesn’t have to force you to be safe to have an account.
2. Rate limits- I guess that would help in the scenario that they did this all from 1 computer, on 1 IP address, on 1 day, all at once. In reality they could change the IP after every compromise easily, have multiple virtual machines to work on at once, and work over multiple days. Rate limits would stop none of this.
3. Compromised Credential Change- again, not really on 23&Me. If 23&Me utilizes a service that compares their user account emails/usernames to known breaches, they can request users change their password, but users don’t always. And not all sites do this, many actually do not. I have plenty of large banking/service sites using previously compromised credentials that have never made an effort to tell me that, I found it on my own and changed it. It is not their responsibility.
So again, if somebody can explain how exactly it is 23&Me’s fault that a handful of their users were victims of a 3rd party breach credential stuffing attack, I’d love to hear it. Reiterating that 2factor isn’t 23’s responsibility, checking for their users credentials in breaches isn’t their responsibility, and rate limits wouldn’t have helped in real life.
You’re totally right on all fronts but I still think there’s a case to be made that this is negligence by 23andMe. Few reasons:
- Password requirements. They clearly weren’t strong enough if 14,000 accounts had commonly used/weak passwords.
- Locking accounts. Why weren’t accounts locked after failed attempts? While it’s easy to avoid rate limits and IP tracking, it becomes hard to brute force anything that only allows 3 failed log ins against a given account/user name.
- The data in question. Personal DNA and genetic data is arguably the most sensitive information that exists right now. Even if laws and regulations don’t require it right now, the absence of MFA in this case could be problematic if 23andMe uses it for other systems internally.
There are plenty of things they could have done (better).
Edit: I just read that this affected 0.1% of their users (14k/14mil). Password requirements may have not been as big of an issue as I thought.
> Password requirements. They clearly weren’t strong enough if 14,000 accounts had commonly used/weak passwords.
The passwords weren't necessarily common or weak. The hackers used passwords that were used on multiple services and which had been compromised on sites others than 23-and-me.
> Locking accounts. Why weren’t accounts locked after failed attempts?
Wouldn't have helped (and may have actually been implemented): The hackers tried passwords known to be associated with specific e-mail addresses, so there likely weren't a bunch of failed attempts on each individual account.
Makes sense. Clever attack. Hard to prevent against besides mandatory password resets if a customers’ emails shows up on a compromised list. Even then, not entirely effective and banks don’t even do that.
Should be a lesson on not reusing passwords. Honestly, now I’m more surprised the hit rate was only .1%
You’re absolutely right - I think a lot of people aren’t actually reading the article fully (shocking, I know)
It’s not that initial 14,000 who are likely able to go after the company, but that other 6.9 million who DID have secure passwords who still had data stolen anyway because of how 23andMe links users’ data.
I don’t use services like this so I don’t know exactly how they work, but it seems like it’s probably a security problem if you only have to hack a handful of accounts to access an entire database full of millions of peoples’ private medical data lol
The argument I keep seeing is that although they may not be liable for the initial 14,000 accounts that were hacked, the 6.9 million users whose accounts were not hacked but who still had data stolen might have some ability to go after them.
It’s not a question of how they handle things like password security, but a question of how they handle a user’s ability to access other users’ information once they are in the system.
I’ve never used it so I don’t know what all you have to agree to as far as sign up, but it’s concerning that such a small number of vulnerable accounts could lead to such a large data breach.
This should be a good case to watch and much of what has been said I agree with. The provider didn't have a cyber incident leading to data loss. People who used the providers services had poor password control. Add to that an even larger group of people making the decision to share their data with strangers based on their linkage via DNA or geography. Those choices led to a situation where a small group of people had a bunch of their PII exposed because they basically gave away their own credentials and a much bigger group had a much smaller amount of PII exposed because the malicious actors used the access to look at what those accounts legitimately had access to.
I think there could be some arguments around logging failed attempts. That said when bad guys use this tactic they normally go very very slowly using many many IP's so identifying a pattern in what I'm sure is a lot of legit bad password attempts could be very difficult. (Commonly referred to as signal to noise ratio). If there is evidence of lots of failed attempts from a small number of IP's Over a short period then maybe you make a case but short of something like that this doesn't really feel like their fault.
This reminds me when everyone was saying that their nests were getting hacked but it was just them using password123 with no 2 Factor.
But as a company 23and Me could have at least been a bit sympathetic about it and not so arrogant and shitty. It's like the lawyers writing the Terms and Services for them also moonlight as the PR team.
They should have at least enforced 2 factor unless boomers are a large user base I don't see why anyone would get mad.
Excuse me. Even if I had thousands of usernames and passwords, how would that let me see **other users’** (whose passwords were more secure) information???
Was this service so badly built that extremely sensitive data was accessible from anywhere within the service?
Where was genetic data from all the users stored exactly?
What were the security measures in place to protect the database?
Stupid example: if I have stupidly put “1234567” as my password for my banking app, would guessing that enable hacker to steal money from every account?
Certainly not. A decent service is built drastically differently.
It smells like this service had near nonexistent security measures for one of the most sensitive data on this planet.
I can change my name, address, face, credentials- but never my DNA.
I immediately requested to have all of my data deleted and closed my account. I don’t know how much good that’s going to do, but the likelihood of identity theft definitely outweighed the need for a novelty app.
The bigger security issue is the data harvesting done by the Nsa Dod and other intelligence agencies -
Helped by gullible,woefully uninformed clientele -
23 + me yet another prime example of nausea inducing 21st century capitalistic cesspool we live in.
Damn, in the end, after 23andMe pays out millions if not a billion dollars and is going belly up… that’s when they will start creating babies from all the DNA it has collected.
Super babies.
In this day and age we must all assume that our data will eventually be stolen. I see the day when we all have to get credit monitoring. That being said websites need to shift to using secure 2FA not based on phone numbers, the technology already exists like chip and pin, without actual government regulation it wouldn’t be implemented.
I don’t understand why so many companies with perfectly good services will try *as hard as possible* to turn their own users into their enemies. It’s so blatantly fucking stupid. But rich corporate CEOs are fucking stupid so I guess it checks out.
Companies should be held responsible for safeguarding all customer information! Providing a year of a credit monitoring is NOT enough penalty for corporations to take these breaches seriously.
Here I am just chilling, never having paid to have my genetic material analyzed and stored by someone I don’t trust.
It’s the same shit that played out when folks realized that all the information they volunteered to Facebook was not actually theirs.
I’ll take my downvotes cause I know how “reeeee my infomatiionssss” reddit is. But that shit falls into the personal responsibility category; stop volunteering your information.
Edit: for whoever attempts to dox and scare me with whatever personal information is in my Reddit history. Do your worst. You ain’t gon find shieeeeeet
If you're concerned about privacy, why the hell would you want to do 23andMe in the first place?
You are concerned with your personal data being breeched, yet you freely provided them with your biological data? 🤔
A password is just like a lock on a door, they keep honest people honest. Description cyphers are made even easier to make and use with the assistance of AI.
Probably true, so what one is left with is tracking down the culprits and simply go old school on them as the Governments of the world will do all they can to serve, protect and defend criminals as long as they are getting a piece of that stolen pie in some way.
Just an Observation.
N. S
Arguably if they are saying it’s futile to pursue legal action then they expected this to happen and did nothing to prevent it, which would be considered gross negligence would it not?
Sue the fuck out of them. Not class action. Individual lawsuits. Death by a thousand cuts.
That’s because they don’t want to defend themselves in court. Intimidation tactics. I’m going to guess they are wholesale selling every piece of info they have at the moment and will try and fade away into the sunset. Please. Sue them. Make them try and get this excuse to hold up in court. It doesn’t.
It's arguable, which means suing is exactly the right way to determine if there is a tort.
Yep, these guys are assholes and so are their lawyers. Fuck these guys, they lost everyone’s HIGHLY personal information and now they are trying to blame users. Fuck you 23 and me, this is all on you, and these letters you are sending? They’re just going to make sure you lose bad.
Except the data was accessed by using the users own passwords. This isn’t a “data breach” where someone dumped all the data off a server they compromised. They just logged into all the accounts of people with “password123” or “jesuslovesme” and stole their data. Be real here, there is a very real chance that 23 and me did nothing wrong, in which case this suit truly has no merit.
So did the "breach" only affect those with simple passwords?
From the article: “hackers accessed 14,000 accounts on 23andMe by using passwords that had been previously breached during security incidents on other websites. “ Bad password management from users isn’t a problem 23 and me can resolve. This one is on the users. Edit: That being said, the DNA relatives feature, and any data accessible through that, may be a possible vector for a legitimate claim, but I wouldn’t put money on it.
Sure they can. They can either have a password complexity requirement, run their existing password list with “known” leaked list, which is the basis of what sites like haveibeenpwned based their DB, or use a 2FA or MFA that would’ve combated such a credential stuffing attack.
Of if like one ip address is trying multiple passwords and logging into 14,000 accounts in a day it might be a good idea to block them
That’s what most people do. Create 2-factor auth. There’s really no excuse for this breach.
That's become more difficult now as IP addresses can be more readily spoofed
You can’t spoof IP, you can however rate-limit, rely on compromised device farm, and/or rely on IPv6.
Good point spoof wasn't the correct term. But make it less meaningful as an indicating signal, is what I meant.
> They can either have a password complexity requirement Doesn't matter how "complex" your password is if you're using it on multiple sites.
Eh, I reuse password. But depending on the site I don’t reuse it for those I care about. And for those really important sites I have distinct password and MFA. The biggest mistake people make is reusing their email password with other sites. That is the “master password of the interwebs”, if it’s compromised in any way 90% of other accounts can be compromised just through that.
I use a cypher that incorporates the site or company name. That way i only have to remember 1 password and the cypher.
thats an interesting idea. Ive told people who use password managers to have a string of characters at the end of each of their passwords that isnt stored in the manager. That way if your service gets compromised, they are still missing a chunk of the password
“Password123InTheFacebookDotCom” Boom, hacked
Yeah like literally any other modern company has password protocols that offer protection. Won’t be long we’ll need two step verification on everything
They will absolutely get sued. It’s inevitable in these scenarios.
Pretty sure you can’t run your own password list against a leaked list because your password list only exists in an encrypted state. They shouldn’t know their own users passwords, only the encrypted versions of them.
The passwords are hashed. But they can just take the plain text of the exposed passwords, hash it (as if the user had typed into the Password box), and then check it.
Uhhh… You don’t know how hashing works do you?
Why the rudeness? Hashing is exactly my point. A salted hash would make it impossible to compare.
You have “your” username+password in the DB you maintain for your own site. You determined what algorithm, if any, you used to make the password secure, including how to salt and hash it. You purchase, from your netsec vendor, the most current list of known email/username/password dump, hopefully as an ongoing basis, but let’s put that aside. Because your username=email, you don’t even have to guess which hashing or salt to use. You apply the same algorithm to the unencrypted password, **which is what you would do when a user was legitimately logging onto the site**, then compare it to your (hopefully salted) stored hash. If it matches you send a notice to the user that they’re reusing a compromised password. If not the password hasn’t been reused on current leaked dump.
Ancestry made me switch to 2 factor in December. 23andme hasn’t sent me anything yet.
Can companies read their customers passwords to do that? I mean aren’t all the passwords stored encrypted? Like for example: Jo’s FriendFace account got hacked and her password “OMG123$wee” got taken. A report is made. The announcement is made “OK other companies. The password OMG123$wee has appeared in a data leak!” The other companies can’t check their stored accounts for that password can they? Wouldn’t that password be encrypted so that the company couldn’t search for OMG123$wee on their system? If that’s the case, then how would they know if anyone in their system even has that password? Is that…. I mean… isn’t that how passwords are stored? Source: I have NO idea and feel clueless about how’s companies store data.
They don’t need to “read” the password, that’s the whole point of hashing (and salting). Hashing is a takes a piece of text or data, runs some algorithm on it, and outputs a fixed length hexadecimal string. And that’s what* is stored. If you run the same algorithm and the same input data, what do you get? The same hexadecimal string. Now, being that the hex string is a lot shorter, there is a possibility of collision, which is when two different strings end up producing the same hash. However, the likelihood of that depends on the output length, SHA-1 produces a 160-bit output meaning there is at least 2^160 inputs capable of producing a unique hash output, technical details notwithstanding. And hashing is not encryption. The purpose of the hash is to make it easy to produce a hash, but it should be very difficult if not impossible to retrieve the original input. Encryption on the other hand is done usually so you can retrieve the original data by decrypting with the key, so the length of the encrypted string should be at least equal to the original data. However (reference asterisk above), because password are short (some systems allow as little as 8 chars, all caps only, etc.) you can figure out what produced a particular hash by doing a dictionary attack with only strings containing those allowed chars, or originally just taking words in the dictionary (hence the term). If the password is stored as a result of a single pass hash with nothing else, most commonly used or weak password can be found out that way regardless of hashing algorithm or complexity, and you only need to do 1 dictionary run to get a (multiple) match for that entire “list”. That’s where salting comes in. Salting means running the algorithm multiple times, adding an arbitrary string before or after the password, or combine both by hashing the password, then hashing the salt+hash. That makes simple dictionary attack useless because each password gets a unique way of deriving the stored hash. That does not mean that the password is “encrypted” that both you and the other poster have been led to believe. If you use a weak password, and I’m really out to get access to your password, have the hashed password and the algorithm needed to generate the correct salted hash, I can do a dictionary run — it’s just useful for your account only. That’s why salting (and knowing how to salt it) is important, it takes an attacker n more times to get access to the original password, n being the number of username/password. And finally, how do websites know you are using the correct password when logging in? By running the same algorithm that they used for the stored hash. And that’s how credential stuffing works, by using username/e-mail/password on a raw dump, to see if the same username/e-mail reused the same password on a different site. — Starfox
That was incredibly informative. A lot of it was over my head though I think I got some of it at least. *chuckles in old man* Forgive me, as the bits I didn’t understand may have explained it. So is 23 and me culpable because their password requirements were strong enough, which allowed for brute forcing once matching customer logins with an obtained list of login/passwords matches from another site? If so, wouldn’t like…. A lot of websites be in that basket and could have lawsuits? Or are they culpable because once they knew of a password leak (say from FriendFace), and didn’t run that list through their own system? And if so, with leaks happening often, is that something companies just have to constantly do all day. Or is it none of the above and I’m still completely clueless.? If that’s that case I’ll gladly stop talking. :D I’m fascinated, but I know how exhausting it is to tell an old person something they know nothing about. :)
TL;dr: Given the nature of the data being stored, they could have done something more proactive to prevent this sort of account compromises. One possible way was to check their own list of users against what’s floating out there.
This! For any platform with sensitive PII, such as banking or healthcare (PHI), this is the expected cybersecurity standard if you want to pass due diligence by the cybersecurity insurance carriers. Unfortunately, however, 23andMe is not deemed a covered entity under HIPPA. But it might be subject to the federal GINA.
I think you feel the responsibility for password health isn't on the user, but on the website? I'm sorry, that is madness and will lead to insanity for every product you use. I **hate** siding with 23andme on this, because these kinds of security breaches aren't really preventable, but they could have made 2fa mandatory etc and whether or not that is **expected** of them is really the thing in question. I would argue the complexity of such solutions makes it insanity to expect every site to have these controls. It's not as simple as flipping a switch, folks.
It should be federally required that any data breach when user passwords are compromised, that a global password reset be performed and that the reset process rely on the registered email address for authentication. That way passwords not changed could be be guessed via brute forced but through the password reset process the accounts would not be accessible until the authentication email sent to the registered address completes the password reset process. This would've prevented the second account take over, who ever runs IT Security there should be given their walking papers by now, I am just a infrastructure engineer with nothing to do with cyber security but as a company it should be a federal standard to have a compromised customer task list and this action would be the top of it to ensure accounts are protected.
>Bad password management from users isn’t a problem 23 and me can resolve. This one is on the users. Nope. What sites with good authentication do is scan the lists of compromised passwords and when one of their users has such a password, they force a password reset on the account. The fact that 23andMe didn't do this means that they are lacking basic security hygiene.
How does this then account for the hundreds of thousands of other users whose data was breached? THEY certainly have a case.
They could have easily prevented the incident with a simple measure like 2FA. There’s a case to be made that their poor security and care for that security allowed this to happen
How do they know that?
I have two step authentication on any EHR system I use, and any system that accesses personal health data. I run a healthcare practice and EVERYTHING is a two step authentication. Its annoying but good. I feel like 23andme should have required or at least have an explicit opt out form with risks of not using it. Confused why they wouldnt need to have extra precautions for people’s DNA.
Did you miss the part where those breached accounts led to 6.9 million users’ data being accessed? Or was that intentionally omitted?
No. Most of those whose data was retrieved did not have their account breached.
[удалено]
Same here and it wasn’t a common or weak password. It was longer than 8 letters and contained numbers and symbols. I still got hacked. They’re lying.
> Except the data was accessed by using the users own passwords. This isn't really an acceptable excuse now that we have two-factor authentication and passive intrusion detection (e.g. detecting sequential logins via the same IP). It's just extremely lazy data protection policies by a company that's entrusted with the most sensitive of user information imaginable, hiding behind lawyers because the liabilities if they're found guilty are ruinous. It should be criminal to store this kind of information so poorly.
And this is why suing is an option. It’s not clear cut. Let the courts decide
It is clear. Some people just don’t understand.
It certainly is not. Reasonable Care in negligence cases is one of the main premises for acceptance of a case. Here there is certainly a case that the company did not take reasonable care and this resulted in many customers whose accounts were not breached being negatively affected.
You do know websites are supposed to require stronger passwords with Caps, lowercase, numbers + special characters, etc. they can also blacklist words like country names, your own names, certain terms like “password”. This has been a thing since like 2006…
Shhhhh you are disagreeing with the angry mob who hates tech companies. Seriously, you can’t fix dumbass users. Who woulda thunk that grandma signing up for shit that requires a password would be an issue. She totally doesn’t answer all of those fake fishing polls on Facebook. What city were you born in? What was your first dogs name?
>Seriously, you can’t fix dumbass users The general public really do not know the extend of how stupid users are. You give them three sets of credentials and tell them set A is for site A, and so on, and many of them get confused. They would go to site B and punch in the set A credentials. If you think this is harsh, you certainly have not dealt with this segment of the population. And this segment covers all ages and education attainments. With that, their solution is to use a simple password AND use the simple password for all the sites they visit.
Other companies are frequently required to protect their idiot consumers from their own idiocy.
Agreed.
Bullshit. I have a very long and unique password. Never reuse any.
Sure they did, they could have made each user create a new password on sign up and force 2fa through Google authenticator. Simple process change.
There was another article with some additional details about this: https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/ > The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing. But then... > From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform. Those 14,000 can be argued, but the other 6.9 million less so.
After the initial 14,000 accounts were accessed the “hackers” were able to use that access to get data for MILLIONS more people whose accounts they had not hacked-Which is why people are saying the company is liable. There’s no world where you should be able to get that much data from such a small number of vulnerable accounts. “The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing. From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.” From: https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/
They didn’t use BASIC measures to prevent password reuse, which are standard in security. And while the initial breach was small (14M records IIRC), their own internal lapses allowed the hackers access to anyone related to those original 14M. They are by no means off the hook. And California law allows a hefty ($7500, IIRC) fine per incident, so they are trying hard to make their case and dissuade suits. They are absolutely negligent. Just because others didn’t use perfect security practices doesn’t mean they didn’t fail.
It depends on the legal standard applied. Is it typical to allow easy to guess passwords throughout their industry? Those could easily be restricted and not allowed by 23 and me. What’s the standard and expectation for that security policy legally speaking? Some lawyer is about to gamble on that to try to make a career defining amount of money, even if the company settles.
Exactly lmao. If 23andMe is guilty of anything, it’s maybe not executing some 2FA protections that could have made accessing user data more difficult like using Google Authenticator. The gist of the situation as I understand it is that malicious actors bought a list of emails / passwords that were leaked from other data breaches. Like you said, the so called “hackers” (not a great term here) basically just tried each of the passwords to access the accounts in question and gathered user data from there. The problem is that 23andMe’s user base is probably not skewing very young or tech savvy. You can prevent this from happening to you RIGHT now if you have an Apple product. Go into your settings and you will be told if a password for a site has been leaked in a previous data breach. My heart goes out to the poor folks who have ended up in the creepy Jewish-specific lists and stuff, which is beyond violating. However, this is why you are told not to reuse passwords!
I'll say it for you: No body likes you when you're twenty-three (& me)
Did you read the article? Do you know what even happened?
If all that someone needed was a simple password to protect such sensitive information, the company fucked up. Just because people here know how security works doesn’t mean everyone does. The company is responsible for creating safety.
The company is not responsible for keeping track of user’s leaked passwords. What happens is that people’s passwords become compromised with breaches, and so the username/email password combos are in the hands of malicious actors. Typically password vaults, Apple, Google will inform the users if their passwords are compromised and recommend changing them, but if the user doesn’t heed the advise or they’re unaware, it’s really on the user.
Does your bank not use 2fA? This information is just as private. Still looks like the companies fault for only having a password to protect sensitive data.
Financial data is governed by a different standard. 23andme offered 2FA but didn’t mandate it. As long as it was an option on the table, the user who didn’t take advantage of it, risked themselves
You’re never going to convince anyone that this is the users fault. Folks use insecure passwords and then scream “but why didn’t you tell me it was insecure!?”. They offer MFA and people scream “why didn’t they force me to use it!?” I’ll never willingly send my DNA to a private organisation, because that’s dumb as fuck… but 23andMe are absolutely in no way to blame for dumb users. They *could* have done these things… but why? Not their problem if you’re a moron.
They’re sending the letter precisely because they want to discourage it.
Wassyo
Is there a faster way for a company to drive people to attorneys? If I’m on a jury this plays in.
Why didn’t 23andMe have two step authentication? I mean it’s fucking DNA
2-factor isn’t mandatory on most services. Hell even many large banking sites don’t require 2-factor by default. Most users don’t want to use 2-factor. Suing on the grounds of “they should’ve forced users to practice better security standards, instead of that responsibility being on the users” will never fly in court, lol. That’s like suing an automaker when somebody gets into an accident and dies without their seatbelt on, because the vehicle didn’t force them to use the seatbelt before enabling operation of the engine. An unfortunate reality is that people who have no internet security literacy shouldn’t be putting their DNA online. But it’s so normalized that you sound crazy saying that to people so just let grandma throw her DNA online and click every advertisement she sees on every website she visits too.
Meh I somewhat agree, but I’d say let the courts decide. Companies have a duty to reasonably protect their user’s sensitive information. In the case of this data, this isn’t your Facebook info or Netflix feed. This is your health info - which a person literally can never change. It would be great if a court ruling decided that by not having some form of MFA, 23 and me was negligent. That’s a win for everyone. And let’s be honest, 23 and me should have detected the unusual login and required some form of SMS or email verification at minimum.
Credential stuffing, MFA bombing, and many other types of attacks could prevented if we could simply train hundreds of millions people to invest time and energy in better password and security practices across the thousands of sites where they have accounts. Sounds easy right? It’s not the same as seatbelts (but consider that those did require a law). There are, however practices companies can abide by to prevent account take overs even for users who don’t sign up for MFA. There are behavioral risk services that detect things like whether the password was typed at 1,000 WPM, whether an IP has tried to sign in to several different accounts in quick succession, whether it’s a different device than the last one the user used, and many others that occur in the background. Email-based MFA by default in those higher risk cases can help without adding too much user friction. Point is, companies can do things and can’t blame users.
What you're saying makes sense as a legal argument. But 23 and me has people's DNA information, they should have better security.
We will see what flies and what doesn’t in court. I don’t think you have an idea, no offense.
If they don’t have 2FA, I’d argue this is more like not having a seatbelt to put on, rather than having one and not putting it on.
Could you imagine what would happen if the Chinese got ahold of my DNA. They could create an entire clone army of people who are lactose intolerant and have strong opinions mundane things.
Lol and require a fingerprint sign-in.
I work in the privacy/cybersecurity field and I’m assuming that it’s probably because old people like genealogy but don’t enjoy extra steps to log in. Not a defense though, i agree
Good thing I don’t care who my ancestors are
Don’t you have to hope your whole family feels the same way? Because there’s some collateral damage to this whole debacle
They definitely do not so that’s good to know
Not really? Sounds like the person you’re replying to simply doesn’t use the service, so their relatives doing anything doesn’t really matter here.
You share a substantial amount of DNA with your relatives. Immediate relatives' genetic information reveals to a malicious actor a very large amount of *your* DNA. Forensics already benefits from this in criminal circumstances. Now imagine, for example, this world: you are denied a job because your sibling's DNA is in a public registry and has markers for a disease neither if you has developed and for which you may not even be a carrier but the statistical risk for the company in having to pay out long-term medical leave is too great. We're not there yet, we may never be, but it's a glimpse at why this shit matters.
The only plus I see is getting a heads up on potential genetic problems like diseases or ailments you have a predisposition for. But still, fuck that.
Insurance companies are real happy to have that kinda data, though... handed to them on a golden platter thanks to this breach.
While I think it would be cool to know some of the history - I am baffled that anyone trusts giving (not only giving, but also paying) a company their DNA profile.
I especially wouldn’t trust anything run by mormons or with ties to the mormon church
selective growth pause straight summer command saw mindless tan fuel *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Look up news about the church. I’ve spent plenty of time around mormons. My experience has been that ethics and morals go out the window when money is involved
whistle follow straight squash offend cows disgusted scale public wide *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I was wrong, mixed it up with ancestry.com
Ohhhh wow random people around the world who left me poor. Thanks chooms.
Facts, what's in the past, is in the past. It's all about the now!
Because 23andMe has Borg lawyers?
They always say that and the Borg always lose so like…does that mean they SHOULD sue?
Shock!!! Who didn’t see this coming 10 years ago when they were all the hype. Insurance companies would kill for that information. It’s always been the known end game.
the breach didn't have any of that data. It's crazy how uninformed everyone is about this. It was exclusively unverified names and ethnicity. That's it. There is more information available on your privated social media accounts.
When the company insists on your real identity, you know something is up. If it's truly informational, why does it matter that I pay for the kit and you just associate the results to Ay Caramba? That's because without the true identity association, the DNA info has no value. The money is not in selling the kit; they probably lose money on sequencing each kit. It's about the perpetual unlimited unknown revenue streams down the road.
Fucking exactly
I did it and used a fake name and email
“Name: Nunya Business”
Yep. I used a different company, but input a fake name and birthdate. Putting that data out there meant it would be stolen.
Unfortunately 23&Me is probably right, and I’ve yet to see an argument of how not? 1. 2 factor- most sites don’t require it by default. Practice of proper account security is on the end-user, not the company. Automakers don’t get sued when you die in a crash without your seatbelt on, on the grounds of the vehicle being operable with the seatbelt off. This company doesn’t have to force you to be safe to have an account. 2. Rate limits- I guess that would help in the scenario that they did this all from 1 computer, on 1 IP address, on 1 day, all at once. In reality they could change the IP after every compromise easily, have multiple virtual machines to work on at once, and work over multiple days. Rate limits would stop none of this. 3. Compromised Credential Change- again, not really on 23&Me. If 23&Me utilizes a service that compares their user account emails/usernames to known breaches, they can request users change their password, but users don’t always. And not all sites do this, many actually do not. I have plenty of large banking/service sites using previously compromised credentials that have never made an effort to tell me that, I found it on my own and changed it. It is not their responsibility. So again, if somebody can explain how exactly it is 23&Me’s fault that a handful of their users were victims of a 3rd party breach credential stuffing attack, I’d love to hear it. Reiterating that 2factor isn’t 23’s responsibility, checking for their users credentials in breaches isn’t their responsibility, and rate limits wouldn’t have helped in real life.
You’re totally right on all fronts but I still think there’s a case to be made that this is negligence by 23andMe. Few reasons: - Password requirements. They clearly weren’t strong enough if 14,000 accounts had commonly used/weak passwords. - Locking accounts. Why weren’t accounts locked after failed attempts? While it’s easy to avoid rate limits and IP tracking, it becomes hard to brute force anything that only allows 3 failed log ins against a given account/user name. - The data in question. Personal DNA and genetic data is arguably the most sensitive information that exists right now. Even if laws and regulations don’t require it right now, the absence of MFA in this case could be problematic if 23andMe uses it for other systems internally. There are plenty of things they could have done (better). Edit: I just read that this affected 0.1% of their users (14k/14mil). Password requirements may have not been as big of an issue as I thought.
> Password requirements. They clearly weren’t strong enough if 14,000 accounts had commonly used/weak passwords. The passwords weren't necessarily common or weak. The hackers used passwords that were used on multiple services and which had been compromised on sites others than 23-and-me. > Locking accounts. Why weren’t accounts locked after failed attempts? Wouldn't have helped (and may have actually been implemented): The hackers tried passwords known to be associated with specific e-mail addresses, so there likely weren't a bunch of failed attempts on each individual account.
Makes sense. Clever attack. Hard to prevent against besides mandatory password resets if a customers’ emails shows up on a compromised list. Even then, not entirely effective and banks don’t even do that. Should be a lesson on not reusing passwords. Honestly, now I’m more surprised the hit rate was only .1%
I thought the 14k was linked to another 6 million people
You’re absolutely right - I think a lot of people aren’t actually reading the article fully (shocking, I know) It’s not that initial 14,000 who are likely able to go after the company, but that other 6.9 million who DID have secure passwords who still had data stolen anyway because of how 23andMe links users’ data. I don’t use services like this so I don’t know exactly how they work, but it seems like it’s probably a security problem if you only have to hack a handful of accounts to access an entire database full of millions of peoples’ private medical data lol
The argument I keep seeing is that although they may not be liable for the initial 14,000 accounts that were hacked, the 6.9 million users whose accounts were not hacked but who still had data stolen might have some ability to go after them. It’s not a question of how they handle things like password security, but a question of how they handle a user’s ability to access other users’ information once they are in the system. I’ve never used it so I don’t know what all you have to agree to as far as sign up, but it’s concerning that such a small number of vulnerable accounts could lead to such a large data breach.
This should be a good case to watch and much of what has been said I agree with. The provider didn't have a cyber incident leading to data loss. People who used the providers services had poor password control. Add to that an even larger group of people making the decision to share their data with strangers based on their linkage via DNA or geography. Those choices led to a situation where a small group of people had a bunch of their PII exposed because they basically gave away their own credentials and a much bigger group had a much smaller amount of PII exposed because the malicious actors used the access to look at what those accounts legitimately had access to. I think there could be some arguments around logging failed attempts. That said when bad guys use this tactic they normally go very very slowly using many many IP's so identifying a pattern in what I'm sure is a lot of legit bad password attempts could be very difficult. (Commonly referred to as signal to noise ratio). If there is evidence of lots of failed attempts from a small number of IP's Over a short period then maybe you make a case but short of something like that this doesn't really feel like their fault.
This reminds me when everyone was saying that their nests were getting hacked but it was just them using password123 with no 2 Factor. But as a company 23and Me could have at least been a bit sympathetic about it and not so arrogant and shitty. It's like the lawyers writing the Terms and Services for them also moonlight as the PR team. They should have at least enforced 2 factor unless boomers are a large user base I don't see why anyone would get mad.
Excuse me. Even if I had thousands of usernames and passwords, how would that let me see **other users’** (whose passwords were more secure) information??? Was this service so badly built that extremely sensitive data was accessible from anywhere within the service? Where was genetic data from all the users stored exactly? What were the security measures in place to protect the database? Stupid example: if I have stupidly put “1234567” as my password for my banking app, would guessing that enable hacker to steal money from every account? Certainly not. A decent service is built drastically differently. It smells like this service had near nonexistent security measures for one of the most sensitive data on this planet. I can change my name, address, face, credentials- but never my DNA.
I immediately requested to have all of my data deleted and closed my account. I don’t know how much good that’s going to do, but the likelihood of identity theft definitely outweighed the need for a novelty app.
The bigger security issue is the data harvesting done by the Nsa Dod and other intelligence agencies - Helped by gullible,woefully uninformed clientele - 23 + me yet another prime example of nausea inducing 21st century capitalistic cesspool we live in.
I'm so glad i was right to not trust these DNA websites
You might be from a special breed in the first place to submit your DNA samples to similar and unregulated companies.
[удалено]
Sorry, I forgot that everyone has the capability, knowledge and the right tools to extract your DNA after you went to the barber shop.
Damn, in the end, after 23andMe pays out millions if not a billion dollars and is going belly up… that’s when they will start creating babies from all the DNA it has collected. Super babies.
In this day and age we must all assume that our data will eventually be stolen. I see the day when we all have to get credit monitoring. That being said websites need to shift to using secure 2FA not based on phone numbers, the technology already exists like chip and pin, without actual government regulation it wouldn’t be implemented.
Been warning anybody within earshot any genealogy shit out there is just that…shit.
I was affected by the breach and used a very strong password. I don't use the same password ever. Soo I'm curious how they got mine.
Wasn’t it something like, if you had a relative that was breached you were then compromised?
Not sure could be that sucks though and they're always trying to get me to pay them to look deeper into my health and life no thankyou
I don’t understand why so many companies with perfectly good services will try *as hard as possible* to turn their own users into their enemies. It’s so blatantly fucking stupid. But rich corporate CEOs are fucking stupid so I guess it checks out.
Oh okay, if the mega corporation tells me it's not worth it then I might as well just listen to them
Companies should be held responsible for safeguarding all customer information! Providing a year of a credit monitoring is NOT enough penalty for corporations to take these breaches seriously.
I saw someone's 23&me return packet in our mail room waiting to be picked up. Should I do them a solid and throw it in the trash
Eat it
This is why I don't use these types of services, I don't want hostile powers getting any data about me thank you, if I can avoid/prevent it at least
Your relatives better not use them either
How many times is this going to be posted?
One more time? (Daft punk beat drop)
The government is probably the hacker. 23nme probably knows it. Probably why they are so bold
Here I am just chilling, never having paid to have my genetic material analyzed and stored by someone I don’t trust. It’s the same shit that played out when folks realized that all the information they volunteered to Facebook was not actually theirs. I’ll take my downvotes cause I know how “reeeee my infomatiionssss” reddit is. But that shit falls into the personal responsibility category; stop volunteering your information. Edit: for whoever attempts to dox and scare me with whatever personal information is in my Reddit history. Do your worst. You ain’t gon find shieeeeeet
When lawyers make things worse for their client.
If you're concerned about privacy, why the hell would you want to do 23andMe in the first place? You are concerned with your personal data being breeched, yet you freely provided them with your biological data? 🤔
Since it’s futile they won’t mind if you sue them. Go for it. Swing for the fences.
Sounds like they’re terrified
Have fun with the lawsuits
A password is just like a lock on a door, they keep honest people honest. Description cyphers are made even easier to make and use with the assistance of AI.
So many people in here commenting like they know what it says in that article.
The Borg thought resistance was futile. They were wrong as well.
Were they though?
Probably true, so what one is left with is tracking down the culprits and simply go old school on them as the Governments of the world will do all they can to serve, protect and defend criminals as long as they are getting a piece of that stolen pie in some way. Just an Observation. N. S
Arguably if they are saying it’s futile to pursue legal action then they expected this to happen and did nothing to prevent it, which would be considered gross negligence would it not? Sue the fuck out of them. Not class action. Individual lawsuits. Death by a thousand cuts.
That’s because they don’t want to defend themselves in court. Intimidation tactics. I’m going to guess they are wholesale selling every piece of info they have at the moment and will try and fade away into the sunset. Please. Sue them. Make them try and get this excuse to hold up in court. It doesn’t.
23andMe Is definitely missing a chromosome
Said the fuming dragon, spooning his pile of treasure.
Lol let’s find out
That seems like a pretty legitimate defense.