Warning: Some posts on this platform may contain adult material intended for mature audiences only. Viewer discretion is advised. By clicking ‘Continue’, you confirm that you are 18 years or older and consent to viewing explicit content.
23 and Me are technically correct in that it’s customer behaviour that caused the issue.
Maybe I don’t really understand what happened, but it sounds like 2 different things happened:
The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company’s user base, or about 7 million accounts
14k accounts were compromised due to poor passwords and password re-use -
And then they got access to 7 million accounts. Where did that 7 million account breach come from? Were those 7 million connections of the 14k or something? Because I don’t think your connections can see many in-dept details
Let’s pretend that I had an account and that you used the internal social share to share your stuff with me.
I, being an idiot, used monkey123 as my password. As a result, the bad guys got into my account. Once in my account, they had access to everything in my account, including the stuff you shared with me.
Now to get from 14,000 to 7,000,000 would mean an average of 500 shares per account. That seems unreasonable, so there must have been something like your sharing with me gives me access not just to what you shared, but to everything that others shared with you in some kind of sharing chain. That, at a minimum, is exclusively on 23andMe. There is no way any sane and competent person would have deliberately constructed things like that.
Edit: I think I goofed. It seems to be sharing with relatives as a collection, not individuals. As was pointed out, you don’t have to go very far back to find common ancestors with thousands of people, so that’s a more likely explanation than mine.
Maybe I don’t really understand what happened, but it sounds like 2 different things happened:
14k accounts were compromised due to poor passwords and password re-use -
And then they got access to 7 million accounts. Where did that 7 million account breach come from? Were those 7 million connections of the 14k or something? Because I don’t think your connections can see many in-dept details
Let’s pretend that I had an account and that you used the internal social share to share your stuff with me.
I, being an idiot, used monkey123 as my password. As a result, the bad guys got into my account. Once in my account, they had access to everything in my account, including the stuff you shared with me.
Now to get from 14,000 to 7,000,000 would mean an average of 500 shares per account. That seems unreasonable, so there must have been something like your sharing with me gives me access not just to what you shared, but to everything that others shared with you in some kind of sharing chain. That, at a minimum, is exclusively on 23andMe. There is no way any sane and competent person would have deliberately constructed things like that.
Edit: I think I goofed. It seems to be sharing with relatives as a collection, not individuals. As was pointed out, you don’t have to go very far back to find common ancestors with thousands of people, so that’s a more likely explanation than mine.