back to article Infosec experts divided over 23andMe's 'victim-blaming' stance on data breach

23andMe users' godawful password practices were supposedly to blame for the biotech company's October data disaster, according to its legal reps. Nope, the biotech firm's infrastructure management was certainly not at fault in any way when 6.9 million users had their data compromised after some 14,000 accounts were broken into …

  1. This post has been deleted by its author

  2. MOH

    So that's two security "experts" who might struggle to find work in the near future

    1. Jou (Mxyzptlk) Silver badge

      Future managers!

  3. Jou (Mxyzptlk) Silver badge

    So "forced password change policy" is back in the game?

    Including the 20 previously used passwords? And they all time out at different times? And all those sites check against each other if the hash has already been used, so mutli-use of a password is not possible any more? And add a technique where it is possible to check the similarity of a password without knowing the password just from the hash? (wargh, this is getting out of hand....)

  4. IGotOut Silver badge

    I just never understand

    why people want pay to give the single most unique piece of data they have, to get some psuedo science saying 10 generations ago a relative managed to have sex with someone from another country.

    1. Anonymous Coward
      Anonymous Coward

      Re: I just never understand

      Well, one of my co-workers discovered a still-living cousin. Which was a very good outcome in her situation.

      And another one discovered her dad had been fooling around. Not so good.

      1. Anonymous Coward
        Anonymous Coward

        Re: I just never understand

        One of my favorite things to come out of DNA testing was the White supremacists that found they had Black relatives.

      2. Anonymous Coward
        Anonymous Coward

        Re: I just never understand

        Back when one did blood group typing in school & undergraduate labs at least one student discovered that their mother had perhaps not been quite as monogamous as previously thought.

    2. jmch Silver badge

      Re: I just never understand

      "the single most unique piece of data they have"

      ... That they are leaving behind on every utensil and piece of cutlery they use ands literally continuously discarding millions of copies a day everywhere they go...

      Obtaining a specific person's DNA is trivial unless they take up some pretty paranoid security procedures

      1. aerogems Silver badge
        Black Helicopters

        Re: I just never understand

        Fuck you! I'm living in my hermetically sealed hamster ball!

      2. cosmodrome

        Re: I just never understand

        Obtaining, yes. But obtaining millions of samples, analyzing and putting them into a database on the web? Not so much. Selling them in the dark net even less.

      3. Ian 55

        Re: I just never understand

        See the behaviour of various members of the UK's leading 'only important because of who they claim their ancestors were' family.

        I am told that more than one senior royal declines to wear hats in food factories etc to stop anyone getting a hair sample off them.

        1. Jou (Mxyzptlk) Silver badge

          Re: I just never understand

          Why are they so backward in their solution? Bring your own hats, and keep them. Or ritually destroy them after use.

        2. Arthur the cat Silver badge

          Re: I just never understand

          I am told that more than one senior royal declines to wear hats in food factories etc to stop anyone getting a hair sample off them.

          Just WTF do they think is going to be done with the sample? Clones to secretly replace them? Or is it more wanting to avoid paternity suits? For some royals the latter seems very likely.

          1. Jou (Mxyzptlk) Silver badge

            Re: I just never understand

            > Just WTF do they think is going to be done with the sample?

            Apart to know "how related I am to them", which some want to know: Sell them as relics! A proven good scam scheme invented so long ago, it even predates the "creationist-earth-construction-date".

      4. Michael Wojcik Silver badge

        Re: I just never understand

        Obtaining a specific person's DNA is trivial

        If you're routinely near them, and know who they are, sure.

        Obtaining the DNA for someone at a large distance, or someone only known by name and a few other pieces of information, is rather more difficult. As is obtaining DNA analysis for a large number of people.

        Your objection is irrelevant to OP's point, which is that sending a sample to a bunch of charlatans in Silicon Valley, and then allowing that information to leak to all and sundry, is a rather bad idea.

    3. ProfessorLarry

      Re: I just never understand

      The genealogical insights are only part of the package. In my case they did not yield much of use, and worse, revealed a vast array of redneck distant cousins I would have no intention of ever having anything to do with. The health info, which is continually expanding is useful, such as, knowing whether or not you are a carrier for certain serious heritable diseases or are prone to selected health issues .

  5. cosmodrome

    "infosec" PR companies

    Why would anyone with a brain even listen to "infosec PR experts"? It's not their job to prevent security breaches but to downplay the damage and white wash their customers' vests. They are *not* security experts, they're primarily PR droids.

  6. Anonymous Coward
    Anonymous Coward

    But, you know

    I found out I was related to a US President.

    Turned out to be Nixon.

    : (

    1. monty75

      Re: But, you know

      There's been a worse one since then

      1. Missing Semicolon Silver badge
        Devil

        Re: But, you know

        The current one?

    2. Michael Wojcik Silver badge

      Re: But, you know

      I don't think there's any US president I'd want to be related to.

      I mean, I wouldn't particularly care; but I wouldn't brag about it, either.

  7. ragnar

    The numbers don't add up

    > 6.9 million users had their data compromised after some 14,000 accounts were broken into via credential stuffing

    It's ridiculous to blame customers recyling credentials for this data leak and shame on the so-called security professionals for doing so.

    If that was the only problem, there would only be 14,000 users with data compromised.

  8. iamthatis

    It seems many of the non-compromised users had signed up for a data sharing feature meaning a lot of their data was visible via the compromised accounts -

    https://customercare.23andme.com/hc/en-us/articles/115004659068-DNA-Relatives-The-Genetic-Relative-Basics

    That seems to be where the millions comes from. That's what the original tech crunch article suggested anyway.

    So there may be a case for them depending on the t&c's they agreed to when sharing with random users on the site anyway..

    1. Michael Wojcik Silver badge

      Yes. And while it may have been legal for 23andMe to offer the data-sharing option, it arguably wasn't ethical. It's a stupid feature.

      1. Grinning Bandicoot

        In this SOCIAL MEDIA age where sharing of one's activities or life style is the norm. Why wouldn't the expectation be that DNA code be no different when sharing of who had what type of sex is passed around. Security training is NOT a social thing. Bare your soul, bare your DNA.

  9. Anonymous Coward
    Anonymous Coward

    On the one hand, they have a (small) point about password reuse, BUT what do they have in place to stop single IPs from trying thousands of logins with different accounts, especially failed ones? If they were logging and properly monitoring this, it could have been prevented.

  10. Grinning Bandicoot

    23andme correction 23and us

    My passwords for mid level privacy if collected could reveal the algorithm which I use to generate these passwords. For my deep secrets I airwall BUT when Intuit demands that you pay their fee and to regain access to your data does not the question become moot? To unlock MY data one must connect to Intuit after payment and allow them to allow me access. To me this indicates that the "Quicken" series of bookkeeping has within its code has a door whether its a little hatch or a barn door - its still a door without a welcome mat. So if this gang can get in who knows what follows.

    I had several possible attacks when I used one popular fitness which stopped after I quit being fit. The proliferation of devices having Bluetooth, whether wanted or not, is another weak point and I sometimes wonder if the reprogramming of the radio in the vehicle has been done that way. Viewing the spectrum through the shared WiFi and Bluetooth band in my locale it is a wonder that there is communication. But with the observed background I am sure there is at least one nefarious listener.

    As far as the gene people none are forced to participate and as has noted some interesting things are found. With me its the pattern on the mDNA traced from Syria to clusters east of the Urals and to the Finger Lakes area of North America. Must have been very good or very bad maybe very good at bad. It also indicated that some holier than thou types had a definite ethical change.

    The problems that I've had with the 23andMe MFA has been the time required for the response against the time of receiving the code. If a response is required in 10 minutes and the code is received hours later then no need for the life time service to be done. Uncooperative fleecee. Yah the creature being clipped!

  11. xyz123 Silver badge

    The maths doesn't even add up.

    "hackers" broke into 14,000 accounts (logging into each one individually one by one they claim) and this 'magically' gave them a gigantic database file of 6,900,000 peoples accounts INCLUDING back-end data that can't even be accessed by users, such as database field tags, worknotes (can only be seen by 23andme staff) etc.

    Their story is absolute utter bullshit that doesn't even stand up to an 8yrs maths class.

    Like Equfax, the management have sold their entire database illegally (and in breach of their own T&Cs) to Russia and China.

    The CEO and board etc all need to be audited because "those crazy hacker kids" have set them up offshore bank accounts containing 10s of millions of dollars in unexplained wealth....

  12. Bump in the night
    WTF?

    Let me try to understand this

    I'm having trouble understanding this. Am I wrong to think they WANT to be able to blame weak passwords by not imposing requirements for passwords? It smells a little too convenient and lazy.

    I'm tired of the hackneyed stern admonishment to not use "weak passwords" when many places already have numerous requirements for passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like