this post was submitted on 03 Jan 2024
826 points (94.0% liked)

Technology

60047 readers
2815 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 31 points 11 months ago* (last edited 11 months ago) (9 children)

A successful breach of a family member's account due to their bad security shouldn't result in the breach of my account. That's the problem.

Edit: so people stop asking, here's their docs on DNA relatives: https://customercare.23andme.com/hc/en-us/articles/212170838

Showing your genetic ancestry results makes select information available to your matches in DNA Relatives

It clearly says select information, which one could reasonably assume is protecting of your privacy. All the reports seem to imply the hackers got access to much more than just the couple fun numbers the UI shows you.

At minimum I hold them responsible for not thinking this feature through enough that it could be used for racial profiling. That's the equivalent of being searchable on Facebook but they didn't think to not make your email, location and phone number available to everyone who searches for you. I want to be discoverable by my friends and family but I'm not intending to make more than my name and picture available.

[–] givesomefucks 17 points 11 months ago* (last edited 11 months ago) (1 children)

A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem

I mean...

You volunteered to share your info with that person.

And that person reused a email/password that was compromised.

How can 23andme prevent that?

It sucks, but it's the fault of your relative that you entrusted with access to your information.

No different than if you handed them a hardcopy and they left it on the table of McDonald's .

Quick edit:

It sounds like you think your account would be compromised, that's not what happened. Only info you shared with the compromised relative becomes compromised. They don't magically get your password.

But you still choose to make it accessible to that relatives account by accepting their request to share

[–] [email protected] -2 points 11 months ago (1 children)

Could I please have your personal information?

[–] dpkonofa 6 points 11 months ago (1 children)
[–] [email protected] 1 points 11 months ago (2 children)

Ok, who else would be able to give me your personal information. I'll go get it from them instead.

[–] dpkonofa 6 points 11 months ago (1 children)

Your mom has my contact information. You can ask her.

/pwn3d.

[–] capital 2 points 11 months ago (1 children)

And that’s exactly how the attackers got in in the first place lol.

The ding dongs used the same creds elsewhere which were leaked.

[–] [email protected] 0 points 11 months ago (1 children)

Thank you for explaining the point I was making to me.

[–] capital 1 points 11 months ago

Ah I misread the thread somehow.

[–] dpkonofa 13 points 11 months ago

I doesn't. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member's account and their account getting accessed because their banking password was "Password1" or their PIN was "1234".

[–] [email protected] 13 points 11 months ago

Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe's response is what to expect since companies will never put their customers safety ahead of their profits.

[–] douglasg14b 10 points 11 months ago

So if you enabled a setting that is opt-in only that allows sharing data between accounts and you are surprised that data was shared between accounts how is that not your fault?

[–] eager_eagle 9 points 11 months ago (1 children)

afaik there was no breach of private data, only the kind of data shared to find relatives, which is opt-in and obviously not private to anyone who has seen how this service works. In other words, the only data "leaked" was the kind of data that was already shared with other 23andMe users.

[–] [email protected] -2 points 11 months ago (1 children)

Name, sex and ancestry were sold on the dark web, that's a breach of private data.

The feature that lets a hacker see 500 other people's personal information when they hack an account is obviously a massive security risk. Especially if you run a single use service - no one updates their password on a site they don't use anymore.

Launching the feature in the first place made this inevitable.

[–] eager_eagle 3 points 11 months ago* (last edited 11 months ago)

Name, sex and ancestry were sold on the dark web, that’s a breach of private data.

It would be a breach if the data was private, but the feature itself exposes this data. That would be like presenting a concert to hundreds of people then complaining your facial attributes were leaked in social media.

[–] TORFdot0 8 points 11 months ago (1 children)

You shouldn’t have shared your information with someone who is untrustworthy then. Data sharing is opt-in.

[–] [email protected] -1 points 11 months ago

Credential stuffing attacks will always yield results on a single use website because no one changes passwords on a site they don't use anymore.

Launching a feature that enables an inevitable attack to access 500 other people's info is very clearly the fault of the company who launched the feature.

[–] capital 6 points 11 months ago

How do you and the surprising number of people who upvoted you want options on websites to work?

These people opted into information sharing.

When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

Wtf?

[–] AbouBenAdhem 5 points 11 months ago* (last edited 11 months ago)

Even if you didn’t reuse a compromised password yourself, the fact that your relatives did indicates that you’re genetically predisposed to bad security practices. /s