At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it’s working to verify the data.
On one hand, it was inevitable. 23andMe is one sweet pot. We’ve always known genetic data would one day be used for nefarious purposes and consumer were warned back then to be cautious with what they were signing up for. On the other, how in the world did they not better safeguard and isolate user data? I’d expect encryption and safeguards on par with a password manager like 1Password.
The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives
I know I have the DNA relative feature enabled but I would’ve never imagined that was scrapeable and a vulnerability.
All data is scrapable. It’s just a matter of how difficult it is to scrape and whether it’s worth the effort.
Assume anything you see or input is being captured, because it almost always is, even if it’s just because WiFi can trace your physical outline, or a street camera saw you unlock your phone, or your fingerprint is can be copied from a door handle.
The only place that data is mostly still secure is literally your brain, but even then, that can be compromised with a bottle of booze.
how in the world did they not better safeguard and isolate user data?
It’s realistically impossible to 100% do this, unfortunately. 20+ year old security flaws are discovered alarmingly frequently, and once the wrong person knows about the right exploit, they can automate entire global attacks. Automated attacks make up a lot of global internet traffic.
Imagine there are physical medieval castles with moats with crocodiles and turrets and an entire defending army with ballistas… but doors randomly appear in the external walls, and bridges instantly construct over the moat, and entire sections of walls can disappear unexpectedly. When there is an infinitely replenishable enemy army attacking that castle, they’re going to get in eventually. That is what the internet is, but digitally.
Humans write code, and humans aren’t perfect, so neither is their code. And anything Humans make or do, a different human will try to destroy or exploit it, that is guaranteed. It’s a problem we’ve had for as long as we’ve been organisms.
I know I have the DNA relative feature enabled but I would’ve never imagined that was scrapeable and a vulnerability.
if it’s viewable in a browser, it can be scraped.
You can make it more annoying for scrapers, but in the end, you need to show stuff to your users, and that’s what scrapers basically emulate in the end.
And as for being a vulnerability: Finding the murderer of a cold case
From this moment forward I will be grateful that I’ve never been responsible for securely storing this kind of PII.
Please don’t let this lead to a mini genocide.
MFA all the things people…
The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.
From the article, the title is obviously overstated for effect
Yeah, that title triggered an immediate and involuntary eye roll.
Ugh. What the fuck