Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.
“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”
This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account’s data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.
It’s terrible design. If they know their users are going to do this, they’re supposed to work around that. Not leave it as a vulnerability.
And it’s your fault you have access to them. Stop doing bad things and keep your information secure.
you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They’re so common that if you don’t design your system assuming the occasional user account will be compromised then you’re completely ignoring a threat vector, which is on you as a designer. 23andMe didn’t force 2 factor auth (https://techcrunch.com/2023/11/07/23andme-ancestry-myheritage-two-factor-by-default/) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.
Fiivemacs was joking, speaking in 23&me’s voice. They don’t actually believe it’s the user’s fault.
That was very much sarcasm on my part
Didn’t say /s…
I don’t think so. Those users had opted in to share information within a certain group. They’ve already accepted the risk of sharing info with someone who might be untrustworthy.
Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn’t mean that this sharing of information is broken by design.
If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.
There may be other reasons to criticise 23andMe’s security, but this isn’t a broken design.
Gentle reminder to plop your email address in here and see if you, much like 14,000 23andMe users, have had an account compromised somewhere. Enable two-factor where you can and don’t reuse passwords.
Welp my two gmail address have been pwned. Good thing I don’t use them and I have limited use of Google services.
Just to clarify; It doesn’t necessarily mean that your Google account password is compromised. It lists data breaches of services where you used the provided email to register. The password you chose for that service at the time of the breach has been compromised. If you don’t use the same password everywhere, or changed your password after the breach, your other accounts are not compromised.
Also, as OP said, use two-factor authentication. And please also use a password manager.
I understand that. I use KeePassXC and love it. I just notice that those gmail accounts get all the spam so I abandoned them.
It’s saying I’ve been hacked on websites I’ve legitimately never even heard of, websites I have 100% never interacted with. Is this just a normal consequence of companies sharing all my data with other companies?
I can’t speak to how you ended up on the list. The way haveibeenpwned works is that they crawl publicly available credential dumps and grab the associated usernames/emails for each cred pair. However it got there, your email ended up in one of those dumps. Recommend you change your passwords, make sure you don’t repeat the same password across multiple sites and use a password manager so you don’t have to remember dozens of passwords yourself.
Giving your genetic info to them is the first mistake
I see this trend of websites requesting your identification and all i think is: i don’t even trust my own government with a copy why the hell should i trust a business?
Instant skip.
I mean if you use the same weak password on all websites, even a strong password, it is your fault in a legitimate way. Not your fault for the fact it was leaked or found out or the company having shit security practices, but your fault for not having due diligence given the current state of online security best practices.
Not your fault if you did have a strong password but your data was leaked through the sharing anyways…
Well its also their fault for falling for 23andMe because its basically a scam. The data is originally self-selected data sets then correlating a few markers tested once, to match you to their arbitrary groups, isn’t exactly how genetics work is done.
Its actually cheap as, maybe cheaper to get 50x full genome sequencing from a company that actually doesn’t sell your data; where 23andMe business model was running a few marker tests to appease their audience they kept in the dark of how modern genetics works; then keep the same for full genome sequencing later because that shit only gets more valuable over time.
Its what makes genetics weird. A sample taken 10 years ago, will reveal so much more about you 5 years from now, like massively more.
Lmfao what? I can’t wait to watch this play out…
I mean, it is kinda their fault in the first place for using an optional corporate service that stores very private data of yours which could be used in malicious ways.
Maybe there should be some type of regulation that prevents that from happening considering the average person doesn’t think of shit like that because they don’t expect to be fucked over in every conceivable way
If only Congress was literate on the issue.
If only companies could be executed.
Did you know they used to not be immortal by default? Like old companies had to definite like a shutdown date in their articles of incorporation.
Now they have human rights, are immortal, and use the planet like its a computer and they are a poorly written piece of malware.
Hint: Its gonna keep looping till it overheats and crashes. Might need to unplug it and plug it back in again.
No, we know where we are getting fucked from: behind usually, sometimes ontop so they can choke us, and the rest is always on our knees.
That headline sounds to me like them claiming “Y’all’re a bunch of eejits for usin’ our service!”
To which I’d say “Yeah sure, I’m certain that would hold up in court” with the biggest eye roll you could imagine
23andMe
I never met a Geneticist who couldn’t immediately recognize this company as a scam. The product wasn’t the papers they send you after doing random marker tests once (so, false positives exist, and they never cared). The product is the DNA they collected by convincing people that their test was even remotely useful or insightful.
Its entirely based on correlation; and correlation to what? Geographic area? That makes no sense if you know one of any number of fields and many don’t even have to be scientific in nature, or genetics.
I have always hated them, always told people to never use them and get themselves a proper 50x full genome sequencing since it costed the same; and actually provides real, resolute and reliable data. Not just like borderline pseudoscience. Might as well sent in the shape of your skull.
Company involved in a data breach try not to blame customers challenge (impossible)
deleted by creator
Blaming your customers is definitely a strategy. It’s not a good one, but it is a strategy.
BRB deleting my 23AndMe account
As if deleting your account deletes your data.
Surely they have a GDPR-compliant way to have your info removed. Right?
They’re an American company, and I’m not yet aware of any lawsuits setting the precedent of the GDPR applying to server infrastructure in the USA, which is outside the jurisdiction of the GDPR.
So if they’ve copied your data to their American servers already (you can bet they have), it’s there for good.
UPDATE user_data SET deleted = 1 WHERE ID = you.
Done. Data deleted. All gone forever. Definitely doesn’t just hide it from the user.
You should parameterize that query before Little Bobby enrolls.
In a way, it kind of is their fault for trusting companies like this in the first place. I’d never consider using companies like this and both think and hope none of my family members would either.
Obviously, the breach is the company being incompetent like many companies are when it comes to security.
Unfortunately like you said, family members can do so of their own accord which is exactly what one of mine did, despite my warnings of such.
It’s completely impossible for me to “un-ring” that bell now, so to speak.
Why anyone would ever trust somebody else with their DNA data is beyond me.
Why anyone would care is beyond me. Explain what someone’s realistically going to do with your DNA data.
This is always the most short-sighted kind of comment on the internet, I don’t assume you’re ignorant, I assume you’re selfish - Do you not see a responsibility to future generations in any of your actions or are you just here to “get yours” and check out?
While there are real and immediate dangers today, our responsibility in this moment is to be a firm NO so that these things don’t find their extremes in our lifetime or beyond. You’re the frog in the pot of cold water, but the burner is turned on beneath you.
“What the fuck are you guys talking about man? being all hysterical and shit? The water is comfortable right now, even a bit cold”
Anyone can obtain your DNA by picking a single hair of yours or a dirty napkin. Your DNA is an open secret.
And there would likely be legal ramifications if they actually used that information in a way that harmed me. That’s not so clear when given up willingly.
And anyone can hate a group of people, the difference between that hate staying small, isolated and relatively contained is organization and systemization - so for example, IBM catalogues and analyzes data for the nazis and you then get an amplification of strength of that hatred that effectively results in the holocaust (instead of something that would have maybe been more like Putin’s limp, flailing invasion of Ukraine).
Yes I can pull a single hair from your head, but if I create a machine where you and 50 million of your friends send me that hair, pay me for the privilege and I then sell the data or it gets breached, that’s where we start to get into the danger zone.
Those of you here being contrarians for the sake of it are on the wrong side of history. Learn a book, shitheads.
Do you not see a responsibility to future generations in any of your actions or are you just here to “get yours” and check out?
Not on this matter. Simply asserting that danger exists is not the same as demonstrating it, and you’re doing a lot of asserting and zero demonstrating.
While there are real and immediate dangers today
Such as? You’re pretty light on details in a situation where it would really help your argument to provide examples. It makes me assume that you don’t actually know.
our responsibility in this moment is to be a firm NO so that these things don’t find their extremes in our lifetime or beyond
Why does that require a “firm NO”? Plenty of actually dangerous things have been handled via regulation rather than a “firm NO”.
You’re the frog in the pot of cold water, but the burner is turned on beneath you.
Bad news for your point: the frogs actually jump out in real life. You’ve also completely failed to demonstrate that we are frogs and there is a pot of water in this situation.
You’re very confidently ignorant. I’m glad this is only an internet conversation and it can just full stop here - I do feel bad for the people that have to suffer you daily in real life though.
Funny you calling me ignorant in response to a post where I asked you twice to explain more. That you resorted to insults instead of explaining your thinking says a lot more about you than it does me.
deleted by creator
Ahh you’re in denial because it’s inconvenient to your world view, splendid!
deleted by creator
That way you can tell them that they’re wrong and by some small fraction feel better about your life choices, yeah we get it.
The biggest worry is that the data might be right and might be used by an insurance provider to deny a person’s cover
Though that’s not a realistic problem. The various DNA ancestry companies’ privacy policies prevent them sharing with insurance companies.
The biggest worry is that the data might be right and might be used by an insurance provider to deny a person’s coverage
Ok, but if that’s something insurance companies want to do, they’re not going to be stopped because you didn’t send a DNA sample to 23andMe, nor are they going to have to go scrape up questionable data off the black market. They’ll simply offer people some discount for sending in a DNA sample or even make it a requirement for coverage.
Sell to insurance companies. Genetic predisposition towards certain illnesses? That’s a premium.
And the insidious thing is, it’s not even just you. Any relative that does a test, boom, they know.
Sell to insurance companies. Genetic predisposition towards certain illnesses? That’s a premium.
If that’s something that those companies were interested in doing, why wouldn’t they just require people applying for coverage to submit a DNA sample? That would be way easier, more reliable, and less shady compared to trying to piece together profiles based on data being sold on the black market.
Explain what someone’s realistically going to do with your DNA data.
You are obviously oblivious to how mass-surveillance works, and how much it can destroy our freedoms. Services like 23AndMe keep a database over all the DNA they have received. This database is often shared with governments, and can be used to create relationship maps - who is what to whom. This information can be and is being weaponized against us on a daily basis.
In what ways is it actively being weaponized? Examples, sources?
You are obviously oblivious to how mass-surveillance works, and how much it can destroy our freedoms.
I’m pretty sure they’re currently doing the mass surveillance thing just fine without DNA data. I’m not sure how DNA would even factor into mass surveillance. I’m open to considering realistic scenarios.
Services like 23AndMe keep a database over all the DNA they have received.
Yes, it’s how they provide the service.
This database is often shared with governments, and can be used to create relationship maps - who is what to whom.
What’s your evidence for this claim?
This information can be and is being weaponized against us on a daily basis.
How? By who? What’s your evidence?
I’m betting you have no evidence and will simply appeal to some instance where some company sold some data to the government in a situation that isn’t at all analogous.
The evidence is literally publicly available. It takes mere seconds to find court records and articles online. But it is just easier for you to sit there and scream “what is your evidence?” as some headless chicken, right?
I’m not going to try and guess what you think the evidence is. If it’s as readily available as you claim, it should be trivial for you go find it and show me. The fact that you haven’t yet is telling about how honest you’re actually being.
If I am an insurance company, and I have data that says you are carrying a gene that is correlated with colon cancer, I can either raise the fuck out of your rates because youre a risky client who might cost me a lot of money in colon cancer treatments, or when you do get colon cancer I could refuse to cover it because I have a contract clause you didnt read that says if youre genetically correlated thats functionally a pre-existing condition and thus isnt a part of your coverage.
If I am a med company, and I know what your genes correlate with known treatable genetic diseases that become fatal or more serious to people like you with those genes, I can raise the price of your medication. You have to pay, because you will die if you dont, so I can ask for any price.
If I am a texas politician, who is already threatening hospitals across the nation illegally for your private medical data, I am salivating trying to get your dna. Correlate any gene, or suite of genes, with a population of people you do not like, and you can target them through this. “Prove” a genetic superiority to defend and promote eugenic ideals, while targeting your racial scapegoat at a genetic level. Look like one race? Well your blood says youre not pure, so youre next too.
These are only the obvious problems.
If I am an insurance company, and I have data that says you are carrying a gene that is correlated with colon cancer…
You think an insurance company would leave money on the table if they thought your DNA could save them a few bucks? They’d either offer discounts to people for submitting DNA samples or require DNA samples as a condition of coverage.
If I am a med company, and I know what your genes correlate with known treatable genetic diseases …
Med companies don’t need your DNA to know that they can charge more life-saving medication. They just need you to know that you have a particular condition and then make sure you know about their medication. If the disease in question is fatal, like your example, it actually seems like a win for the person in question that there’s a cure for their condition.
If I am a texas politician, who is already threatening hospitals across the nation illegally for your private medical data, I am salivating trying to get your dna…
Ah yes, the Texas politician who is going to let the lack of DNA data stand in the way of his eugenic designs. Okay. Totally realistic.
The insurance company doesnt want or need to give you discounts. They are buying this data from companies like 23andme, after the professionals have indexed and prorated it. Telling the customer risks scandal, and buying from youmeans they need to process it in house. This back door pre analyzed data sharing keeps you in the dark, and your money in their pocket.
Med companies do not use this to develop the medication, they use it to change the price of existing meds based on your need. Diseases and disorders are not equally lethal. They are buying this data to get the information on how badly you need the drug, and alter the price accordingly.
They arent going to let anything stand in the way of their plans, they are already illegally collecting this information. More data makes this easier for them.
deleted by creator
They do now. But before this they would prompt users to activate it, but it was the users choice not to.
This is, largely, the norm for nearly every online service.
Well, they have a point.
