Guess the company: Takes your DNA, blames you when criminals steal it, can’t spot a cyberattack for 5 months Biotech and DNA-collection biz 23andMe, the one that blamed its own customers for the October mega-breach, just admitted it failed to detect any malicious activity for the entire five months attackers were breaking into user accounts. In a collection of data breach notifications filed with California's attorney general Rob …
Hold on, you're a cybercriminal who's just stolen a load of data, and instead of going to some Tor-embedded Dark Web site, you advertise it for sale on Reddit, a site which can be assumed to cooperate with authorities? Even if *you've* managed to sign up to Reddit using a completely untrackable email address and always browse via Tor with no exception, Reddit admins should still have no trouble tracking who reads and interacts with your post before they take it down.
Despite the obvious problems with it, if you are interested in tracing your family tree using DNA then that's just what you have to do. I've done it on three sites (ancestry, myheritage and gedmatch) and I've confirmed some connections, and found some new ones as a result. And one or two scandals, like a second cousin finding her father, wasn't. Once you've exhausted regular geneological records, it's the next thing to try.
However I've also anonymised myself and my parents in any ancestral data I've uploaded. I appreciate that if someone hacks in and downloads it this won't help - they're probably going to get my email address as well, but it's not like they can do much with the DNA data - it's a sequence of markers. The risks are that someone who has pinched my DNA somehow gets hold of my DNA from something I've touched, and can identify me - I think I can live with that one - or that a suitably motivated scientist could clone me, which I'm alright with too. Obviously the world would be a better place with more of me in it
All you have to do is say it out loud. Say it with me...
"I am going to send my dna off to people I do not know, to decode my DNA, who will then store my entire identity and family history on the internet, in a place I do not know."
Does that SOUND like a good idea?
Same AC as above. You say “entire family history” like it’s a secret, but you’re missing the point that I genuinely want to find connections and the way to do so is to share it.. Not my details or my parents, but grandparents or more? These people are long dead and it’s a matter of public record. Sure! As for “my entire identity”, that’s hyperbole. This isn’t Gattaca. DNA is useless for anything other than matching to other DNA tests.
And ancestry.com, which AC also mentioned, is owned by the LDS, who collect huge amounts of genealogical and other information. I'd rather not contribute to that, myself. Not that I think LDS are any worse than 23andMe (I know LDS's motives, at least, and while I think they're crazy, at least they're the devil I know); I just don't want to make that particular data-collection situation any worse.
I'm not interested in "tracing my family" at the cost of handing Yet More PII to unscrupulous and untrustworthy operators.
Have a search around this site and you’ll find articles going back almost 2 decades that quote database owners as saying they have enough data stored to identify your fathers surname from any DNA sample uploaded. Think about it, surnames tend not to be changed in the west, father to son. If you have the same surname as your long dead grandparent, you’re identifiable and probably already have been linked.
If your based in the uk, you can use services such as the 192.com website to trawl electoral register records going back decades. Tracking people in that is incredibly easy. If you are registered to vote or you pay council tax, you’re identifiable.
Let me guess: they use the email address as userID. This would almost invariably be the same email address their customers use on many other sites so as soon as one of those sites is compromised the full login credentials become available. While 23andme - and any other company - can't stop their customers reusing passwords* they can stop them reusing login IDs by the simple expedient of issuing their own, non-email, IDs. There's no need to go to 2FA. The only reason that that's industry standard is because email as userID is also industry standard.
* Actually there is something they can do. They can check any ID/password combination they find against haveibeenpwned, reject them and advise their customers to reeset all their other passwords. They could also monitor haveibeenpwned for additions which match their own customers' credentials and force a password reset on any that match.
If you do that, then users now have to remember their username. Either they get to set it themselves, in which case they'll pick one reasonably unique one and use it everywhere, or they all get assigned one by the service that makes no sense and they don't bother to remember it. In the latter case, you will have to include mechanisms to recover usernames which are not supposed to be secret information in the first place. You might as well just issue the user a password you generate if you're willing to go to that extent. On the bright side, it makes password stuffing difficult.
It's the old trade-off between convenience and security. In reality, of course, it's more a matter of trading short-term inconvenience for considerably worse long-term inconvenience.
The best simple solution for the individual is to at least use a password manager to generate per-site complex passwords. Even better is to double it up with having generating individual email addresses for each site as well. If the site's won't protect you against password-stuffing you just have to protect yourself.
Exactly. If users deliberately use the same password for lots of services, there's little a service can do to prevent those credentials from being accepted. In my opinion, any safeguards should come after that point, for example asking for additional verification when unfamiliar IP addresses are used, but that comes with tradeoffs, such as including the IP addresses users have used in the past. This service sounds like it could have done some useful things, such as offering MFA, but I doubt that the kind of person who would simply reuse a password would be the type to enable it. I don't think issuing a username will help very much in this situation.
On the other hand, all of these righteous people, horrified by this 23andMe data breach, also appear to be sadly clueless about just how much "family history and relationship" data can always be assembled through reference to *public* data sources, including census, marriage, birth, death, church, and court records. And, why, exactly, should anyone care? Alternatively, *all* public records could, instead, be "sealed", and everyone could join into a cult of ignorance and pretense.
Not that 23andMe could not have been more pro-active with security. But there's a lesson there for everyone.
Most of that data isn't online, much of it isn't even centrally filed anywhere. And the quality is highly variable. For instance, it's not unusual for people to use different names, or variants of names at different times in their life. And you wouldn't believe how many records have been lost or destroyed outright over the years.
Assembling a coherent story from such sources involves either a lot of guesswork or a lot of homework. Or both.
> For instance, it's not unusual for people to use different names, or variants of names at different times in their life
Entire families change their names when they immigrate, or a war happens and their old name is too German or something, or they don't like the old way it's spelled. There are entire genealogy communities devoted to tracking such stuff. Yes, they do their homework. It's basically what they do with their spare time.
> Most of that data isn't online
Wrong. A LOT of it is online. There's the official census to start with, military records, other official archives, findagrave, newspaper obituaries, various announcements of life events such as promotions, the marriage, birth, death, church, and court records mentioned above, etc are online.
And as per the first part, there's a lot of people going through old microfilms and other offline archives and putting them online. You can buy info like the entire Florida driver's license database on a CD and put that online.
"Most of that data isn't online, much of it isn't even centrally filed anywhere"
The world's rather a big place to file everything in one place but central filing of census,and BMD (births, marriages and deaths) has been instituted in many countries since the C19th.
In England and Wales, for instance, that has been done since the middle of 1837. There are crowd-sourced indexes at freebmd..org.uk. To make real progress may require purchase of birth & marriage certificates (you can click through from freebmd to the registry's online ordering site) although it's surprising what progress can be made just with such indexes and images of the census returns (useful reords startin 1841 for E&W). These would require one of the subscription services, Ancestry or FindMyPast but again quite a lot can be achieved with the free service of familysearch.org (apart from freebmd these sites cover world-wide sources).
Prior to civil registration in any given jurisdiction you would usually need to rely on religious records such as baptisms and burial regiters in place of birth and death records. These are not necessarily centrally filed although bishops' transcripts supposedly exist for the Church of England but not as complete as one would like. However local societies and individual genealogists have been transcribing and publishing these since the late C19th and a great deal of these publications can be found on archive.org and, of course, have also been transcribed by the sites I mentioned in the previous paragraph.
I have no experience with other jurisdictions except Ireland and the experience there is frustration due to the destruction of the registries in a fire in 1922. I've found it difficult to get any of my wife's lines back beyond the early C19th and one individual has proved extremely difficult.
And, of course, the occasional bastard will prove as difficult in genealogy as they do in management.
Genealogy is one of my hobbies. I’ve found a number of long-forgotten relatives and connections. It is equal parts addictive and fascinating.
Submitting one’s DNA sounds like a risk, after all it’s highly personal. However, being retired, self-funded and not beholden to any insurance companies, its exposure would have very little impact.
Tread your own path though.
Once your data is used to cross reference you to others, an extraordinarily wide range data points can be related, and used to target anyone that is now connected to the data collated across the whole group of individuals. Esp. with 2nd and third degree data like contact lists, device and account fingerprints, commercial connections, etc.
Only those skilled in 'The Arts' can assess the risk you think you've calculated (to be negligible enough for your own comfort)
The company rightly blamed the "victims". Don't reuse email addresses and passwords.
I'm ancient and even I know how to set up mail forwarding from throwaway email accounts used for different services. Many of my throwaways forward to other throwaways before reaching my real email account. No one deserves to have their data stolen but if they are foolish enough to reuse their user names and passwords then they really only have themselves to blame. Use unique credentials for each service.
5 months to spot a cyber attack. It wasn't a cyber attack that can readily be spotted. It used the valid credentials of users who stupidly reused passwords from other breached sites. How would you differentiate between a legitimate user logging in and someone else using their account? Once logged in, the criminals then accessed information that others had willingly shared with the wrongly usurped account.
23 and Me could have used IP address checking and mandated MFA but customers don't want that. Even after their accounts were accessed many are still complaining about the potential enforcement of such inconveniences.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
