40 comments

[ 4.1 ms ] story [ 83.9 ms ] thread
I'm into cyber security as a hobby....and one thing has always confused me regarding these breaches.

Lots of these things are sold on the dark web and they might release snippet samples to get a buyer but my understanding is that unlike the old days of hacking....they normally don't release the entire stolen content unless they really believe in totally free data, or they have some massive gripe with the company.

Normally only those who paid get access and iirc the guy who got into the 23&me company wanted like a shitload of money for the entire dataset which was massive. I heard the entire data was somewhere between 20 and 50 terabytes but I could have wread an estimate.

so whats confusing?

you can trade Fullz on the darkweb or you can gun for the whole dataset

wholesale is cheaper than retail

the hacking economy distributes risk the same way corporations do, the person making the hack isnt the person using the hack, isnt the person selling the hacked data, isnt the person using the hacked data

How could they exfiltrate that much data without being noticed?
Centralised storage of sensitive data has to go away. We need something better.
What would you suggest? Storing data on the blockchain where costs per GB are tens of orders of magnitude higher?
No, storing multiple copies on _encrypted_ data with private keys in possession of the owners of data, not companies processing / storing it. That way you could leave those files on an HTTP server and it would be safe. The driver for centralised storage of DNA and other data is the business model based on resale of the data in raw or processed form.
Until the customer loses the key, which is essentially what happened here...
If the customer loses the key to the encrypted data, then it's useless to everyone, including bad actors.

This is not what happened here. 23&Me exercised poor security. I deal with financial data for my job, (like, transactional data, for most Americans), and I would consider that less sensitive than DNA data. We lock that transactional data up so tight it'd make your head spin. If it's data about an individual, in the wrong hands, it can do harm. If you're in the business of people's data, you cannot be stupid about protecting that data. 23&Me is (was) very much in the business of people's data, and could afford and attract the best talent to ensure the data was encrypted and protected.

They're reaping what they sowed.

They didn't require 2FA. That's the only arguably poor security I see. Is there something beyond that they should have done?
I mean that only bad thing makes so much of a difference.
Encryption at rest.
What makes you think they didn’t have that?

The bad guys obtained user passwords from breaches at other sites where some 23andMe users had accounts and had used the same email and password as their 23andMe account. They logged into those 23andMe accounts and obtained data that those accounts had access to.

Credential stuffing attacks are detectable and preventable, which is what you're describing. When detected (trivial with the right tools), you can then require users to reset their passwords for the suspected accounts (with the traditional "check your email for reset link" dance).
There are many enterprise security tools that can detect compromised accounts. These tools monitor traffic and behavior and report or actively block traffic that doesn't look "normal."

What looks "normal" depends on the org, but 23&Me knows what it is (or should, since it's a fundamental of running their business).

Just as a made up example, they may know that 85% of users don't use VPNs, and typically have an IP address that geolocates within 100 miles of their mailing address (which 23&Me has on file). Users might also typically log in very infrequently between 12-4am (localized to their IP/mailing address). And when they do log in, 90% of the time it's to see the new content you just sent a marketing email about, with short session lengths as well.

A user who logs in through an IP that geolocates well outside of their mailing address and methodically steps through every possibly thing you can click on at 3:15AM, is probably a bad actor who gained access through credential stuffing attacks.

Off the shelf tools can automatically detect all of that kind of behavior, and more. They can look at the collective traffic patterns and see a bunch of users logging in from the same pool of IPs, or the same VPN, or around the same time, or using the site in the same way as others bearing similar attributes. They can stop wide spread coordinated attacks from botnets.

The same tools can automatically detect and alert when credential stuffing attacks are happening, locking down accounts and requiring their passwords to be reset.

Given the scale at which 23&Me operated, it's impossible that they weren't aware of these tools.

Investing in the right tools is just one of many things they could have done. Even with those kinds of tools, you need to assume they're not enough (even if they are), so you encrypt everything at rest. Every decryption gets audited, and audit logs get fed into the same monitoring tools used to alert and stop abnormal behavior.

It all sounds overkill, but remember: they lost 91% of their valuation. All it took was the wrong people getting in, and it tanked their entire business.

What lock can protect people's data if the people hand the key over to the bad guy?
It works for your car keys, credit cards, phones. People who think the current system is the best system we can ever get really lacks imagination
Encrypted data still has to be decrypted in order to be presented. These “hacks” would have gotten decrypted data regardless of whether it was encrypted at rest and in flight.
Why does it matter they were going to sell it off to whoever wanted it anyway. Not like they were keeping it private
This. The 'customers' were always the product. Thanks to your naive aunt Janice they've probably got your DNA too.
Where is the wall to wall 24x7 coverage of this? I guess if it's not a company that is competing for eyeballs and clicks then it's not a big deal...
It was already extensively covered when it was new.

It probably died down because when you strip the sensationalism from the stories it comes down to this.

1. Bad guys took leaked emails and passwords that were leaked from other sites and tried them on 23andMe.

2. 14000 of those people in those leaks from other sites had 23andMe accounts and used the same email and password at 23andMe.

3. That gave the bad guys access to everything on those accounts.

4. 23andMe has an opt in feature that shows you all your relatives on 23andMe who have also opted in. "Relative" means people out to 4th cousins. Mine has 1500, although I suspect that the average is more like 700.

5. The majority of 23andMe users opt in to relative sharing. This is not surprising since finding relatives is one of the major reasons people use DNA testing services.

6. If you are on 23andMe and opted into relative sharing, and any one of your relatives who also opted in is one of the 14000 from #2, then the bad guys can see your name, geographical area, and DNA relationship to your relative from #2 on that person's relatives list.

7. That turns out to be about 7 million people.

So, 2FA would've prevented this? Crazy that 23andMe didn't have one mandatory.
That's just a great TLDR for what you this is all about.

Thanks for clearing that up.

Are there any reports of anyone actually harmed by this, or is it all tiresome righteous indignation?
How would you correlate this breach with actual harm? If somebody, say, hacks into one of your other accounts, or opens credit in your name, it's not always obvious where they got your info.
Or if a neo-Nazi firebombs your house, your cousin's house, your parents' house, and some guy who you didn't know was your uncle since he was given up for adoption, but was also Jewish. How do you correlate that to a data breach?

That's why this data breach is so dangerous. It helps fill in nearly every stepping stone for bad actors, all the way to the baddest of them, to cause harm or exploit someone.

Are you saying you'd be ok a company leaking not just your sequenced DNA (and the avalanche of things that says about you), but who you're related to, by DNA?
The company did not leak it. People reuse passwords. "Hackers" just tried passwords from earlier dumps and accessed profiles of people who reused the same password with 23&Me
As soon as a cousin or two does it the cat’s kind of out of the bag, isn’t it?

Isn’t that what all of these “I did my DNA and you’re my dad!” and “Ancestry.com cold crime DNA break” stories prove?

Wait, people give their real name and DOB when registering with 23andMe? Not blaming the victim, just pointing out that if a company doesn't need to know your real name, why give it to them?
One might ask the same of us who use our initials on hacker news.
It's crucial to include your birth year to confuse the hackers (numbers in names are really confusing, they will give up in no time)
You DNA leaked, change your DNA ASAP.
For a full DNA reset, just click the two halves of the demon core together
Some assembly required, you will need a screwdriver.
The tricky thing in the case of DNA is, if your relatives were to do a 23andMe, then they inevitably also give away large parts of your DNA. They tracked down the Golden State Killer merely by matching the DNA of a relative. It's a dilemma between one's right to privacy and another one's autonomy.