So that's two security "experts" who might struggle to find work in the near future
Infosec experts divided over 23andMe's 'victim-blaming' stance on data breach
23andMe users' godawful password practices were supposedly to blame for the biotech company's October data disaster, according to its legal reps. Nope, the biotech firm's infrastructure management was certainly not at fault in any way when 6.9 million users had their data compromised after some 14,000 accounts were broken into …
COMMENTS
-
This post has been deleted by its author
-
-
Thursday 4th January 2024 20:27 GMT Jou (Mxyzptlk)
So "forced password change policy" is back in the game?
Including the 20 previously used passwords? And they all time out at different times? And all those sites check against each other if the hash has already been used, so mutli-use of a password is not possible any more? And add a technique where it is possible to check the similarity of a password without knowing the password just from the hash? (wargh, this is getting out of hand....)
-
-
Thursday 4th January 2024 21:37 GMT jmch
Re: I just never understand
"the single most unique piece of data they have"
... That they are leaving behind on every utensil and piece of cutlery they use ands literally continuously discarding millions of copies a day everywhere they go...
Obtaining a specific person's DNA is trivial unless they take up some pretty paranoid security procedures
-
-
-
Friday 5th January 2024 16:55 GMT Arthur the cat
Re: I just never understand
I am told that more than one senior royal declines to wear hats in food factories etc to stop anyone getting a hair sample off them.
Just WTF do they think is going to be done with the sample? Clones to secretly replace them? Or is it more wanting to avoid paternity suits? For some royals the latter seems very likely.
-
Friday 5th January 2024 22:05 GMT Michael Wojcik
Re: I just never understand
Obtaining a specific person's DNA is trivial
If you're routinely near them, and know who they are, sure.
Obtaining the DNA for someone at a large distance, or someone only known by name and a few other pieces of information, is rather more difficult. As is obtaining DNA analysis for a large number of people.
Your objection is irrelevant to OP's point, which is that sending a sample to a bunch of charlatans in Silicon Valley, and then allowing that information to leak to all and sundry, is a rather bad idea.
-
-
Saturday 6th January 2024 15:38 GMT ProfessorLarry
Re: I just never understand
The genealogical insights are only part of the package. In my case they did not yield much of use, and worse, revealed a vast array of redneck distant cousins I would have no intention of ever having anything to do with. The health info, which is continually expanding is useful, such as, knowing whether or not you are a carrier for certain serious heritable diseases or are prone to selected health issues .
-
Friday 5th January 2024 10:31 GMT ragnar
The numbers don't add up
> 6.9 million users had their data compromised after some 14,000 accounts were broken into via credential stuffing
It's ridiculous to blame customers recyling credentials for this data leak and shame on the so-called security professionals for doing so.
If that was the only problem, there would only be 14,000 users with data compromised.
-
Friday 5th January 2024 13:48 GMT iamthatis
It seems many of the non-compromised users had signed up for a data sharing feature meaning a lot of their data was visible via the compromised accounts -
https://customercare.23andme.com/hc/en-us/articles/115004659068-DNA-Relatives-The-Genetic-Relative-Basics
That seems to be where the millions comes from. That's what the original tech crunch article suggested anyway.
So there may be a case for them depending on the t&c's they agreed to when sharing with random users on the site anyway..
-
Sunday 7th January 2024 05:27 GMT Grinning Bandicoot
23andme correction 23and us
My passwords for mid level privacy if collected could reveal the algorithm which I use to generate these passwords. For my deep secrets I airwall BUT when Intuit demands that you pay their fee and to regain access to your data does not the question become moot? To unlock MY data one must connect to Intuit after payment and allow them to allow me access. To me this indicates that the "Quicken" series of bookkeeping has within its code has a door whether its a little hatch or a barn door - its still a door without a welcome mat. So if this gang can get in who knows what follows.
I had several possible attacks when I used one popular fitness which stopped after I quit being fit. The proliferation of devices having Bluetooth, whether wanted or not, is another weak point and I sometimes wonder if the reprogramming of the radio in the vehicle has been done that way. Viewing the spectrum through the shared WiFi and Bluetooth band in my locale it is a wonder that there is communication. But with the observed background I am sure there is at least one nefarious listener.
As far as the gene people none are forced to participate and as has noted some interesting things are found. With me its the pattern on the mDNA traced from Syria to clusters east of the Urals and to the Finger Lakes area of North America. Must have been very good or very bad maybe very good at bad. It also indicated that some holier than thou types had a definite ethical change.
The problems that I've had with the 23andMe MFA has been the time required for the response against the time of receiving the code. If a response is required in 10 minutes and the code is received hours later then no need for the life time service to be done. Uncooperative fleecee. Yah the creature being clipped!
-
Monday 8th January 2024 09:10 GMT xyz123
The maths doesn't even add up.
"hackers" broke into 14,000 accounts (logging into each one individually one by one they claim) and this 'magically' gave them a gigantic database file of 6,900,000 peoples accounts INCLUDING back-end data that can't even be accessed by users, such as database field tags, worknotes (can only be seen by 23andme staff) etc.
Their story is absolute utter bullshit that doesn't even stand up to an 8yrs maths class.
Like Equfax, the management have sold their entire database illegally (and in breach of their own T&Cs) to Russia and China.
The CEO and board etc all need to be audited because "those crazy hacker kids" have set them up offshore bank accounts containing 10s of millions of dollars in unexplained wealth....
-
Friday 26th January 2024 19:22 GMT Bump in the night
Let me try to understand this
I'm having trouble understanding this. Am I wrong to think they WANT to be able to blame weak passwords by not imposing requirements for passwords? It smells a little too convenient and lazy.
I'm tired of the hackneyed stern admonishment to not use "weak passwords" when many places already have numerous requirements for passwords.