Warning: Some posts on this platform may contain adult material intended for mature audiences only. Viewer discretion is advised. By clicking ‘Continue’, you confirm that you are 18 years or older and consent to viewing explicit content.
23 and Me are technically correct in that it’s customer behaviour that caused the issue. People reused passwords and didn’t use MFA.
They can claim the moral high ground if they like and shift the blame, but the truth is that regardless of WHY the breach happened, it was still a breach and it still happened!
As a software engineer, I believe there’s a real argument to be made here that 23 and Me were negligent in their approach. Given the personal nature of data stored they should have enforced MFA from the start, but they did not. They made an explicit decision to choose customer convenience above customer security.
The argument that customers should have made better security decisions is evasive bullshit.
As a software engineer you cannot trust customers to take correct decisions about security. And customers should not be expected to either - they are not the experts! It’s the job of IT professionals to ensure that data has an appropriate level of protection so that it is safeguarded even against naive user behaviour.
23 and Me are technically correct in that it’s customer behaviour that caused the issue.
Maybe I don’t really understand what happened, but it sounds like 2 different things happened:
The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company’s user base, or about 7 million accounts
14k accounts were compromised due to poor passwords and password re-use -
And then they got access to 7 million accounts. Where did that 7 million account breach come from? Were those 7 million connections of the 14k or something? Because I don’t think your connections can see many in-dept details
Let’s pretend that I had an account and that you used the internal social share to share your stuff with me.
I, being an idiot, used monkey123 as my password. As a result, the bad guys got into my account. Once in my account, they had access to everything in my account, including the stuff you shared with me.
Now to get from 14,000 to 7,000,000 would mean an average of 500 shares per account. That seems unreasonable, so there must have been something like your sharing with me gives me access not just to what you shared, but to everything that others shared with you in some kind of sharing chain. That, at a minimum, is exclusively on 23andMe. There is no way any sane and competent person would have deliberately constructed things like that.
Edit: I think I goofed. It seems to be sharing with relatives as a collection, not individuals. As was pointed out, you don’t have to go very far back to find common ancestors with thousands of people, so that’s a more likely explanation than mine.
Bro the data wasn’t breached, someone just took already available passwords and tried them. It is their fault for using the same password everywhere.
And im not defending the company here, fuck em but thats definitely not on them.
23 and Me are technically correct in that it’s customer behaviour that caused the issue. People reused passwords and didn’t use MFA.
They can claim the moral high ground if they like and shift the blame, but the truth is that regardless of WHY the breach happened, it was still a breach and it still happened!
As a software engineer, I believe there’s a real argument to be made here that 23 and Me were negligent in their approach. Given the personal nature of data stored they should have enforced MFA from the start, but they did not. They made an explicit decision to choose customer convenience above customer security.
The argument that customers should have made better security decisions is evasive bullshit.
As a software engineer you cannot trust customers to take correct decisions about security. And customers should not be expected to either - they are not the experts! It’s the job of IT professionals to ensure that data has an appropriate level of protection so that it is safeguarded even against naive user behaviour.
Maybe I don’t really understand what happened, but it sounds like 2 different things happened:
14k accounts were compromised due to poor passwords and password re-use -
And then they got access to 7 million accounts. Where did that 7 million account breach come from? Were those 7 million connections of the 14k or something? Because I don’t think your connections can see many in-dept details
Let’s pretend that I had an account and that you used the internal social share to share your stuff with me.
I, being an idiot, used monkey123 as my password. As a result, the bad guys got into my account. Once in my account, they had access to everything in my account, including the stuff you shared with me.
Now to get from 14,000 to 7,000,000 would mean an average of 500 shares per account. That seems unreasonable, so there must have been something like your sharing with me gives me access not just to what you shared, but to everything that others shared with you in some kind of sharing chain. That, at a minimum, is exclusively on 23andMe. There is no way any sane and competent person would have deliberately constructed things like that.
Edit: I think I goofed. It seems to be sharing with relatives as a collection, not individuals. As was pointed out, you don’t have to go very far back to find common ancestors with thousands of people, so that’s a more likely explanation than mine.