- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
23andMe Blames Users for Recent Data Breach as It’s Hit With Dozens of Lawsuits::Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.
Removed by mod
The real issue was the DNA Relatives feature, which allowed information to be shared with other users in the platform. From this TechCrunch article
There are 6.9 million people who could have been using 2FA and unique passwords, and their personal information was scrapped just because of 14k accounts which were reusing passwords.
This data of 6.9M users was not private anyways after these users opted into the program. It’s really not a leak.
Agreed, although name and nationality isn’t really private information to begin with. Just based on the numbers, it seems like it was sharing the information too broadly, probably to 4th cousins twice removed. When users opted in to this feature, the intent was for distant relatives to be able to connect, not to show up on a list of Eastern European Jews to be shared on 4chan.
If I give my credit card to my sister, and she drops it, that’s not MasterCard’s fault. If they were very concerned, they should’ve made sure their relatives were trustworthy.
Removed by mod
I’d say it’s more like you gave your mom your SSN (or similar private information) because she said she needed it for her will or something. When you gave it to her she mumbled she’d share it with your sister too. You weren’t really paying attention and just went “yuh huh” when you probably should have told her not to. Your sister uses one key for everything and a burglar got a copy of that key from an earlier burglarly. The burglar eventually used the key to rob her and took your SSN, which he’s now selling.
Mom=23andme
Sister=relative
“yuh huh”=not disabling “DNA Relatives” sharing feature
Removed by mod
There are some pretty basic things you can do to stop brute force attacks like putting a limit on failed login attempts which 23andme did not have. The issue is that those accounts almost certainly had multiple failed login attempts from places that should have flagged the login.
You ask what a security system is supposed to do when provided with the correct login. That is just the beginning of basic security. If someone consistently logs in from an IP address in one region and then all of a sudden has a couple failed logins from Russia and also one successful one from there, would you say a good security system shouldn’t flag that? If a bank allowed your debit card to be used in a country you have never been to before when you seem to have just used it where you normally do, would you be fine with them not freezing your card?
As for MFA, last I checked, they still did not require it. It was recommended but not required.
And let’s not forget that they changed the terms of service so you could not sue over shit like this in the future. You had 60 days to reject the new terms of service which you did by sending an email. The email address in the emailed instructions was different than the one in the legal document that was attached.
My understanding is that the failed logins where properly locked out like you describe. Passwords were leaked from other sites, so it was people reusing passwords that allowed the beach into 23 and me. Sounds like the users’ fault to me.
The guy said brute force but meant credential stuffing.
Basically using an army of remote compromised devices to use known user name password combinations. If they used the same email and password that was found on another compromise, then their account would successfully be logged in first try from a unique ip each time.
I’m downvoting you even though I believe the users are negligent and partially to blame here. However, does the site not lock log in attempts after the first 10 login attempts or something? At this point, something so sensitive like ancestry and health information should be mfa required at the bare minimum a phone number 2fa would help a bit.
Not sure of this specific case, but typical brute force attacks are done locally on the database that was acquired from the breach, not on the site itself. This way lockouts aren’t an issue.
In this case it was a credential stuffing attack against the live login form on the website based on the information released.
Removed by mod
I get asked to prove I’m making a legit login attempt all the time because it’s from a new IP address. 23andMe could have implemented something similar, and given the sensitive nature of the data they host and given how we all know that people can’t be trusted to have good password hygiene, I think they should have been required to do so.
IMO this whole thing is just more proof that we need better regulation around how companies treat users’ private information.
Removed by mod
You can’t spoof your IP address because of the TCP handshake. You could proxy your traffic to appear from coming from a different IP address than from the computers making the requests. This would still be identified as suspicious because the proxy IP address would differ from an IP address a user had logged in from before.
Even if the “hackers” knew every user’s IP address, they would not be able to establish a connection with it appearing from an IP address that didn’t really initiate the traffic.
Perhaps a better question would be to ask why they are allowing 14k separate logins from (what was probably) the same IP address? If you ask any big email provider, they will tell you they immediately shut down any access from that IP due to suspicious behavior, while simultaneously resetting the passwords of all the accounts that appear to be compromised. Typically you should have records of the IPs used for previous logins so it’s fairly simple to compare records having suspicious activity and see if the accounts in question had any previous relationships with each other. And once you have that information on hand you can use it to monitor the compromised accounts for any further login attempts by unknown IPs and then block THOSE addresses as well.
When you have that many active user accounts, you do not just settle for simply accepting the correct credentials.
Removed by mod
Yes I am, as I’m sure you are aware that IP spoofing is pretty much only relevant where you are sending outgoing packets (like in a DDoS attack) and do not expect to receive any information back. If you need two-way communication over TCP, spoofing doesn’t work because the returned information naturally gets routed back to the host of the real IP and not to the spoofed address. Obviously these attackers received some information back.
Right, and what about the people who didn’t reuse passwords whose information was stolen?
Just fuck them?
Did you think about this at all before you typed out that ridiculous comment?
You can also monitor your system for known compromised credentials and expire them. Not foolproof but it catches the low hanging fruit.
I’m gonna go with not give that user access to millions of other users’ personal information…
I get your point and agree, but having a valid login shouldn’t provide that kind of access.
What? Unless I missed something, it gave access to individual accounts not master access?
I mostly agree. One thing they could have done to mitigate some of it is bar the user from creating a password that is one of the most commonly used 1 million passwords, or 10,000, etc to mitigate users using commonly used passwords that they might have used elsewhere.
Most commonly used password lists: https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials