23andMe is reportedly turning the blame back on its customers

Source article on Techcrunch discussed here 3 weeks ago:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38856412">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38856412</a><p>(261 points&#x2F;20 days ago&#x2F;371 comments)

I do not reuse passwords, and from what I understand, my account was not accessed directly. The message they sent me was:<p>&quot;After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.&quot;<p>So there&#x27;s nothing <i>I</i> could have done with password security that would have prevented this; my only mistake was using a feature of their site.

I have a genuine question:<p>If somebody accesses a Facebook account; and uses it to view intentionally-shared information on 500 people connected to that person; is that Facebook&#x27;s fault for having that feature?<p>It appears Hacker News consensus is &quot;Yes&quot;, but... that feature IS Facebook; and to many many people, that feature IS &quot;23andme&quot;.<p>Don&#x27;t get me wrong - I don&#x27;t have 23andme account; we are at an early age of DNA analysis and I&#x27;m supremely uncomfortable randomly giving my DNA <i>and wide permissions</i> to strangers for perpetuity. I&#x27;ve tried to give same perspective to friends and family, with limited success.<p>I also don&#x27;t particularly care about geneaology either, yet goodness gracious a lot of people really really do and they get giddy and excited when they find some &#x27;match&#x27; on DNA sites :).<p>But it does rather seem that external actors used credentials obtained elsewhere, to access a core &quot;social-network-like&quot; feature of 23andme, that users eagerly opted in (again, <i>I</i> wouldn&#x27;t have, but I&#x27;m a weirdo:).<p>I don&#x27;t understand what 23andme&#x27;s real fault is, other than existing, and allowing users to willingly, consensually, in an informed manner do what they specifically chose to do. We all <i>told</i> our friends &amp; family &quot;hey don&#x27;t share your DNA results and intimate details of your life with strangers and random new startups&quot;, but they repeatedly choose to do so anyway :(.

&quot;The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company&#x27;s user base, or about 7 million accounts, the company previously told Business Insider.&quot;<p>Okay, so first off no software team would be surprised to know that you have millions or tens of millions of customers and as many as 14k reused logins from elsewhere. Second, if someone steals credentials from a subset of users and can use that to gain access to nearly half your customer base you&#x27;ve made a terrible, terrible decision when adding features that allowed that.<p>Reused username&#x2F;password pairs is a known challenge, and we should all be aware that our software will be used with compromised logins. Plan for that and don&#x27;t assume that anyone with a login is both allowed in the door and not there for malicious reasons.

Two factor authentication should be mandatory for services like 23andMe that hold such sensitive information (i.e. DNA tests). It would at least have reduced the wideness of the attack by protecting most of those 14k initial accounts that were used to leverage the &#x27;relatives feature&#x27; vulnerability.

The article is terrible. What are commenters even discussing without having additional context?<p><pre><code> The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company&#x27;s user base, or about 7 million accounts, the company previously told Business Insider. </code></pre> This is the only actual &#x27;information&#x27; in the article. The rest is just finger pointing. But what does this mean?<p>What feature? Does &#x27;gain access&#x27; here mean all the data you would have as if you logged in as that user? How does 14K become 7M? Is it that case that an average user has access to the data of 500 other users on website? (7M&#x2F;14K)

This is a canary in a coal mine.<p>At some point in the future — in our lifetimes — every newborn will have DNA taken and tested — and banked permanently.<p>You say &quot;No way, over my dead body?&quot;<p>&gt;Kuwait: New Counterterror Law Sets Mandatory DNA Testing (2015)<p><a href="https:&#x2F;&#x2F;www.hrw.org&#x2F;news&#x2F;2015&#x2F;07&#x2F;21&#x2F;kuwait-new-counterterror-law-sets-mandatory-dna-testing" rel="nofollow">https:&#x2F;&#x2F;www.hrw.org&#x2F;news&#x2F;2015&#x2F;07&#x2F;21&#x2F;kuwait-new-counterterror...</a><p>&gt;Kuwait: Court Strikes Down Draconian DNA Law (2017)<p><a href="https:&#x2F;&#x2F;www.hrw.org&#x2F;news&#x2F;2017&#x2F;10&#x2F;17&#x2F;kuwait-court-strikes-down-draconian-dna-law#:~:text=Kuwait%20was%20the%20only%20country,to%20personal%20liberty%20and%20privacy" rel="nofollow">https:&#x2F;&#x2F;www.hrw.org&#x2F;news&#x2F;2017&#x2F;10&#x2F;17&#x2F;kuwait-court-strikes-dow...</a>.<p>In the US, a blood sample is taken from all newborns to test for a panel of diseases that are treatable and cause serious problems if not treated within a few days after birth.<p>The sample is not taken by federal authorities, but by medical staff, usually before the infant goes home from the hospital. The individual states, rather than the Federal government, mandate the testing. The sample consists of a piece of paper with a few or several spots saturated with drops of blood. After testing, the samples are stored for a period of time determined by each individual state. In states where the samples are kept on file for an extended period, those blood spots could be considered a DNA sample.

You could kind of argue that users that reuse passwords are responsible for leaking their own information. But how do they explain the remaining 7 million? Also they are suddenly able to enforce changing passwords and 2FA, so how do they want to claim they reasonably protected sensitive data before? If the 7 million users made their data public to other users that may explain a little bit, but I would assume the company would say so.

From what I read, people got their credentials breached on some other websites. Hackers then somehow used those same credentials to log in to 23andMe.<p>I see that 23andMe could’ve forced MFA, or have a better brute force protection for sure but seems like 23andMe themselves didn’t breach any passwords at least.

This doesn&#x27;t just affect 23andMe&#x27;s customers. It affects every person who shares DNA with their customers.<p>For instance, police have been able to match DNA samples of an unknown perpetrator against these DNA services. Matches against their extended family (who have used the service) is enough to identify them, even though they&#x27;ve never been a customer. And while that&#x27;s a good thing, the more general case is true for every one of us all. We&#x27;re all represented in this DNA data to one degree or another, even if we&#x27;ve never used the service.

&gt; The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company&#x27;s user base, or about 7 million accounts<p>I mean for the 14,000 accounts accessed with compromised login credentials, yes that&#x27;s logical that it&#x27;s their fault.<p>But what kind of feature would allow attackers to then get access to 7 million accounts from 14,000 compromised accounts? The article doesn&#x27;t say and I can&#x27;t imagine any feature that would allow that without being an egregious breach of security.

Let&#x27;s not pretend that 23andMe didn&#x27;t voluntarily give access to the data to law enforcement and wanted to sell it as well to insurance companies.

While 23andMe may not be culpable, they certainly look culpable, particularly to the layman. Their messaging in response to this is terrible.

I think with how 23andMe is reacting they know they&#x27;re about to get spanked in a class action.

We covered this on the open source podcast last week.<p><a href="https:&#x2F;&#x2F;opensourcesecurity.io&#x2F;2024&#x2F;01&#x2F;21&#x2F;episode-412-blame-the-users-for-bad-passwords&#x2F;" rel="nofollow">https:&#x2F;&#x2F;opensourcesecurity.io&#x2F;2024&#x2F;01&#x2F;21&#x2F;episode-412-blame-t...</a><p>TLDR there is a LOT 23andme could’ve done to prevent this. Around the same time BrickLink had a similar incident, but handled it perfectly.<p>There is a lot that these vendors can do to protect people, even if their password and username are exposed. Things like requiring email confirmation if you’re logging in from a new IP address. Things like using the haveibeenpwned database to ensure people use good passwords. When I reset my password at 23 and it allowed me to use passwords like Password1234567.<p>23andme continues to disappoint.

&gt; One 23andMe customer impacted by the breach told TechCrunch that it&#x27;s &quot;appalling that 23andMe is attempting to hide from consequences instead of helping its customers.&quot;<p>I mean... Of course they ate trying to dodge extra punishment from California <i>while</i> trying to help customers. They can be doing both at the same time.<p>And as a legal argument, they may have a point. How precisely are they supposed to secure their architecture against recycled login credentials? Does California&#x27;s law imply that you have to implement two-factor authentication? Seems like it would be a novel application of the law if that&#x27;s the case.

This “it’s their fault for sharing information” is a terrible externality&#x2F;unaccountability argument. As a company, you are responsible for the safety and privacy of all your direct and indirect users. I don’t have a facebook, but I’m in there for sure, and it’s the company’s responsibility to protect my privacy.<p>I know this is not 23&amp;me’s case, and sure, the front door keys weren’t stolen from them, but they allowed the whole museum to be robbed without triggering one alarm. If a bad actor gained access to my account, he&#x2F;she would still need my device to deobfuscate card info or make transactions.<p>I mean, it’s a solved problem!

Same pr agency as you know who

If someone registers on my website with the same password as in LinkedIn, then LinkedIn gets hacked overmorrow, and the attacker then logs in with the correct password on my website, what should I have done to prevent that successful login to this user&#x27;s account?<p>We can get angry and make jokes about 23&amp;Me but I don&#x27;t know what people would expect of me here; what solution I ought to implement as someone who runs several websites as hobby projects<p>This problem is also one of the reasons why I&#x27;d not recommend doing such a DNA test with a web service...<p>Edit: could I know why a moderator pinned this comment to the bottom? It got votes and was at the top for a few minutes, but now sorts below literally every other comment, also greyed-out ones and downvotes are starting to appear (maybe by association because it&#x27;s at the bottom?). What should I have written differently to not get moderated away?

They’re not customers, they’re the product.