User data stolen from genetic testing giant 23andMe is now for sale on the dark web::User data from 23andMe accounts has been leaked and put up for sale on a dark web forum after what appeared to be a "credential stuffing" cyberattack.

  • huginn@feddit.it
    link
    fedilink
    English
    arrow-up
    65
    arrow-down
    3
    ·
    1 year ago

    Note: this was from password stuffing and is only profile data, not genetic.

    Your genomics can only be downloaded from a link sent to your email account.

    Don't reuse your passwords.

    The only thing 23andme could have done to prevent this is 2fa.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      6
      ·
      1 year ago

      The only thing 23andme could have done to prevent this is 2fa.

      Not true. It's easy to detect hundreds of thousands of logins from VPN locations. Or parse that someone is logging in from thousands of miles away from their profile location and send an email. There's many simple things to implement that they could have done to protect your account with them. They took the easy route.

      While the User does bare most of the blame, claiming that 23andme couldn't do anything else is strictly wrong.

      • huginn@feddit.it
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        1
        ·
        1 year ago

        Preventing these kinds of attacks is a nontrivial problem space and is the exact reason why scraping services are a lucrative business.

        It is not trivial to prevent dark web actors from using botnets to make requests and it is comparatively inexpensive to access botnets as a service.

        Sending emails for suspicious login is 2fa, by the way.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          6
          ·
          1 year ago

          It is not trivial

          And yet I just explained to you two ways to do it real easily that I've implemented into several platforms. It has been trivial.

          Sending emails for suspicious login is 2fa, by the way.

          Only if you actually block login until link is clicked in email. Just sending an email is not 2fa. You don't need to specifically block the user, a notification would be sufficient for many users to understand "Wait… I didn't login, I should change my password immediately."

          • huginn@feddit.it
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            2
            ·
            1 year ago

            If you think that IP blocking stops credential stuffing you really are out of your depth.

            Would it stop this guy if he was some skid just running Kali? Absolutely.

            But it ain't going to stop anyone more determined. Especially since you're going to let those blocks expire to avoid blocking legitimate customers. A patient opposition with minimal resources will get by that kind of naive approach.

            Not only that but you have 0 evidence they didn't IP block. They absolutely could have standard protocols in place but anything short of 2fa is inherently vulnerable.

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              6
              ·
              1 year ago

              If you want to move goalposts… Then fine. But I won't engage in that bullshit.

              It IS trivial to implement. It is literally a non-zero thing they could have implemented but chose not to. That's all I've claimed.

              Go strawman someone else.

              If you think that IP blocking stops credential stuffing you really are out of your depth.

              You can slow it way the fuck down though if you do it right. But nah, I'm out of my depth supposedly. You sound like a fucking tool.

              • akrot@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                arrow-down
                1
                ·
                1 year ago

                I think what he was trying to say, implementing those strategies would deter 90% of rookies (using kali toolkit as a service), but not the 10% who got the right technical knowledge and enough motivation to clamp down on what they want.

        • hansl@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          1 year ago

          It’s a cultural thing. My dad always taught me not to share secrets, including different passwords to different people and websites.

          I don’t know if kids have internet lessons these days but it feels like that would be very useful; how to use social media, how to approach strange websites and how to recognize misinformation and look for sources online. Basically online-ed. Part of home economics I guess.

  • Hovenko@iusearchlinux.fyi
    link
    fedilink
    English
    arrow-up
    50
    arrow-down
    4
    ·
    1 year ago

    Well… that data was not in safe hands in the beginning considering facts that the whole company has very close ties to Alphabet and Google.

    • ominouslemon@lemm.ee
      link
      fedilink
      English
      arrow-up
      39
      arrow-down
      6
      ·
      1 year ago

      You can say whatever you like about Google invading privacy and generally spying on us, but they are probably the best tech company when it comes to security. They practically never get hacked

      • FrostyTrichs@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        1 year ago

        Companies have to know about an attack and announce it to the public for it to exist? For all anyone knows Google is littered with backdoors and zero days and the people responsible are smart enough to siphon off the data quietly. Nothing is safe online and we need to stop pretending Google wouldn't downplay or sweep a breach under the rug to save face.

        Google shouldn't be trusted with the data we give them in the first place.

        • ominouslemon@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Google shouldn't be trusted with the data we give them in the first place.

          While I agree with this, I also must say that yes, EU law literally says that you have to disclose data breaches in 72 hours or something (can't remember exactly how many). If something happened, we would probably know it

      • Hovenko@iusearchlinux.fyi
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        3
        ·
        1 year ago

        Yeah… like it matters if your data gets thrown around anyway. They sell and share it with third parties without you knowing which and what security practices they use. I rather pay for a product that includes my privacy being protected.

        • ominouslemon@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Stop saying that Google and Meta etc "sell/share your data". It's just plain wrong and muddies the water and makes fighting them way more difficult. They sell access to the people from whom those data were taken, which is veeeery different.

          Data brokers sell data. Google, Meta etc do not sell data. It's their biggest asset, why would they just give it away?

            • ominouslemon@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              1 year ago

              You have a point there, but I meant that Google does not do that as a business. Every company must provide data to the NSA, the problem is not Google per se

              • Hovenko@iusearchlinux.fyi
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                Yes, you are correct it is not only google but all the big tech. You are missing very important word here - based in US. My point is that those big companies were very reluctant to handle that data even if it was later proven unconstitutional.
                For example service like Lavabit rather closed their operation than handing over your data. There were companies actually fighting this garbage instead of providing direct infrastructure for NSA to come and go when they need something.

                But back to the original point that with google is your data very safe. That is not true at all. Your data is a lot safer if you choose company which is an actual mail (or other service) provider. With this you have an actual contract that will say they cannot handle your data for commercial purposes - you are the customer not a product and part of their side hustle. That puts google on the bottom of the list. On top of that you can pick one based in EU and now you are protected even by GDPR and NSA cannot do whatever they want. Of course if you are a shady character you data will be handed over, but in a correct manner. Nowadays secure mail providers are moving to a model where all your data is e2e encrypted and even they have no access to it so if they get a breach, the attacker has nothing. If 3 letter agency asks for something, they will get maybe timestamps in epoch. Those are the most secure services not google.

    • El Barto@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      4
      ·
      1 year ago

      Your comment implies that they get hacked all the time - which they don't.

      But I see what you're saying, since they themselves sell your data.

      • Hovenko@iusearchlinux.fyi
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        Yes, that is what I meant. Google/Alphabet are companies living off selling personal data. That is a big no no no no nooo.

  • zoe@lemm.ee
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    4
    ·
    edit-2
    1 year ago

    probably cause they didn't invest much in cybersec…like most companies…and they deserve it, for not hiring such essential engineers

    • Muddybulldog@mylemmy.win
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      Credential stuffing is, first and foremost, a user issue. There’s only so much you can do when people use the same password for all their different websites.

      That being said, there are some “above and beyond” steps a platform can take and most companies definitely don’t.

    • WHYAREWEALLCAPS@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      Yeah, this is a decades old ongoing issue with companies. They see pretty much anything IT related as a money sink that needs to be trimmed to the bare bones while giving salespeople absurd bonuses. Then they get all surprised pikachu faced when they get hacked or hit with ransomware and their last backup was 6 months ago when they let the IT department go without warning and hired some guys from overseas to handle it remotely.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    This is the best summary I could come up with:


    Hackers claiming to have access to the names, photos, birth details, and ethnicities of potentially millions of 23andMe customers are peddling the information on the dark web for thousands of dollars.

    "The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials," a spokesperson for the company told Insider.

    In other words, the hackers plugged in leaked username-password combinations into 23andMe accounts in a technique known as "credential stuffing."

    One anonymous seller advertised the data on BreachForums earlier this week as containing "DNA profiles of millions, ranging from the world's top business magnates to dynasties often whispered about in conspiracy theories," and noted that each set of data also came with "corresponding email addresses," based on a repost of the ad on X.

    Based on the results of its preliminary investigation, the company believes the hackers gained access to a much smaller number of user accounts, but managed to scrape the data of several other 23andMe users through a feature called DNA Relatives.

    There may also be "hundreds of thousands of users of Chinese descent" impacted by the leak," Wired reported.


    The original article contains 570 words, the summary contains 209 words. Saved 63%. I'm a bot and I'm open source!

  • moitoi@feddit.de
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    1 year ago

    WCGW giving your DNA to a company? Seriously, the data breach is an issue and this company has to be sued for this. But, giving your DNA to them is another one.

    • Anders@lemdro.id
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Not only your DNA, but your whole family tree's DNA. It's just wrong on so many levels.