At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it’s working to verify the data.
And that’s exactly what people were worried might happen.
This was incredibly predictable
But they promised!
If people were actually taught history they would have known exactly what their genetic information being in a registry would result in.
Ooof.
IBM and the Holocaust by Edwin Black should be standard reading for high school students.
I can’t believe people voluntarily sent them their DNA.
The worst part is it you have enough family members who used these services your details are likely on there too.
Though if neither a father nor his sons have submitted their DNA, the service will lack all that Y-DNA though, right? I’m glad I made the right decision to not send in my DNA to those sites, despite my sisters hounding me to do it after our dad refused, lol.
It’s a shame though, because family genetic networking is interesting, but it just goes to show you can’t trust these companies. (Even though the company didn’t really do anything truly wrong in this case, as it’s simply users reusing passwords, they still should have been better/more proactive especially with such sensitive information)
Even though the company didn’t really do anything truly wrong in this case, as it’s simply users reusing passwords, they still should have been better/more proactive especially with such sensitive information
There’s nothing special or new or unique or unforseen about the security requirements of 23andMe.
They absolutely failed to implement an appropriate level of security measures for their service.
Mandatory 2FA could’ve prevented this.
Part of the issue is the average person using a service like this, and people comfortable with MFA don’t really overlap.
I mean, too bad. You’re accessing the results of your genetic data that contain sensitive personal information on relatives as well as yourself. Banks require 2FA, and people figure out how to use that.
Hence the key word: mandatory.
Oh I didn’t miss that. Would it be a good business decision for nascar to force people wanting to buy live tickets to eat a vegan meal?
“We sent you an SMS with a 4 digit number, please type it in this box” is a pretty low bar.
Y chromosomes have very little information on them, and the DNA there is pretty highly conserved. You’re not really keeping any secrets by hiding your Y chromosome away.
It’s not really like they are storing DNA sequences anyways. They use a genotyping array which just reads ~650k single nucleotide polymorphisms (SNPs).
An analogy would be 23andme has a 6.4mil page book of DNA for a single customer but they only know the position and letter of single character on every tenth page. Sure it’s enough to identify someone (You can confidently use 50 SNPs to identify these days) but it’s not like 23andme was ever storing a whole genome
They also sent your DNA involuntarily. You can be IDed of someone in your genetic vicinity has sent theirs. They don’t even need to be super close.
I sent mine in because 75% of my DNA comes from sources unknown to me. It’s been interesting seeing what pops up.
I’d do mine if I had some spare money, because I’m in the exact same boat. 75% unknown.
Someone help my dumb brain: what does that situation look like?
You only know your mother or father and one of their parents and have no idea of the three other grandparents?
Yes.
Top notch victim blaming you got there…
ETA because I don’t engage with bigots:
Imagine that, the descendants of one of the biggest genocides in history want to try and piece their history together, and use the available tools to do it with, fucking shocker…
Then, when they continue getting targeted just for existing, privileged ignorant bigots who couldn’t even imagine what having over 90% of their community gassed is like, and have never been oppressed for who they are a day in their lives, simply can’t help themselves but jump to justify them being attacked again:tHe bAstArDs dEseRve eVerYthInG tHey GeT!!11
And somehow not a word about the attackers, nor the company that failed its customers.
Sure, antisemitic Jan…🙄🙄🙄
“I can’t believe this incredibly obvious thing happened!” Isn’t really victim blaming, is it? They’re not saying they did it to themselves or they deserved it, they’re saying that this was bound to happen and people volunteered their DNA to a private company
… Therefore blaming them for using the service.
Why even have a capitalist economy if private businesses can just abuse people like that and the customer is routinely blamed for participating in the economy the only way they’re allowed to?
Thanks!
As if victim blaming is always wrong.
It is
E. g. if somebody loses money in a multilevel marketing scheme, is it wrong to blame the victim? Or is not every victim a victim?
Regarding your edit, that’s assuming a bit too much to defend your point.
But that’s what I asked for, your reason why there is no responsibility on the side of the victims.
To engage with that line of thinking: if you leave agency at people, you can ask why one would trust a company with that data when every conspiracy theorist doesn’t use that service specifically because of the risk of genocide.
But you are right, there are valid reasons to take the risk.
It’s always wrong to blame the victim, yes. You just genuinely don’t believe they actually are victims, and if you want to have that debate, be honest and have it. But you don’t get to recognize their victimhood and then invalidate it by implying their suffering is partly their fault.
Is this a choice of words issue? Saying that somebody could have prevented something and with that knowledge should prevent it next time doesn’t change victimhood for me. The suffering of the victim remains.
What is lost if the victim had some agency? Is there some metaphysical aspect to it? Are victims prechosen by fate and it’s a sacrilege to question their fate?
I can agree that a zebra being killed by lions shouldn’t be blamed. But a person who ignores advice from friends and joines a multilevel marketing scheme is not entirely innocent.
Because attributing any blame to a victim is always a sleazy attempt to shift all responsibility for a situation away from the aggressor and onto the victim. It’s a common abuse tactic.
Plus, most people really aren’t capable of doing what they need to do in life-threatening or abusive situations. Adults really don’t have as much agency as they like to pretend they do, and I personally am tired of being dishonest about it.
I say that as one of the people who has been abused partly through their own failings and iniquities. I don’t call myself a victim. I’m also not an average representative of people in abusive situations – I have always been and always was capable of doing far more than most other people, and so I am telling you from that experience that you cannot attribute any responsibility for a situation on a victim like that. Most people are just NPCs and you need to respect that.
You say that like it’s a negative thing.
Some people actually want to know things and are curious about where they came from, what they’re made of, who their family is.
Submitting your DNA can increase your knowledge. It sounds like you can’t believe people would seek knowledge.
I’d love to know all of that. I just don’t ever trust a private corporation to safeguard my highly personal and unique DNA information from:
- a foreign scammer looking to make a buck
- my government looking to close a case
- a foreign government looking for kompromat
- a health care company looking for reasons to deny coverage.
It’s too easy for a company to skimp on staff and digital security and then say “we’re soooo sowwwy, have 3 months of identity fraud protection on us” if they find a breach.
The point I think you could be missing is that the organizations which do this have been at best irresponsible, at worst negligent, in protecting customers personal information. There are obviously benefits to
thisa genetic record. Preserving a comprehensive genetic record for future generations to study is one. A database for law enforcement to use to solve very serious crimes like murder and rape. All that would be wonderful, but that information is already being misused and abused. Most people, myself included, don’t think these organizations will ever be responsible to their customers cause who the hell would believe that these days?
There are a lot of dumb people that wanted to know they were a pure breed European or something to brag about like an IQ test
But they trusted [youtuber]!!!
Thank you!
The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives.
The information does not appear to include actual, raw genetic data.
This doesn’t absolve them of anything. If you see thousands of accounts being individually logged in from the same block of IP addresses, and those users have never logged in from there before. That should raise red flags. No, Fred from California shouldn’t be logging in from a vpn based out of Ireland right after Anne from NY logged in from that same VPN from Ireland.
Users are dumb. This is why there’s tools to track odd behavior and clamp down on it.
“This doesn’t absolve them of anything”
Of course it does. “Security” based on behaviour tracking is not the expected default like you are making it to be. (neither should it be.)
Thats how my bank tracks my money, and while it might be mildly annoying to make a quick call to reactivate my card if I triggered a red flag, it is absolutely a well appreciated and useful safety feature that I am glad my bank employs.
Why would I not expect the same level of security for a piece of my medical data? Thats just as important as my money.
Why would I not expect the same level of security for a piece of my medical data?
Because it’s not a bank.
Thats just as important as my money.
Unless you are super rich and have a lot of throwaway money, it’s a false over exaggeration.
You understand that same level of security is used by hospitals, yes? Do you think hospitals are banks?
Ah, an over exaggeration. Ill tell that to all the jews whose data got targeted and stolen. Im sure it was harmless.
You understand that same level of security is used by hospitals, yes?
No, not all hospitals at least.
Ill tell that to all the jews whose data got targeted and stolen.
Sure, go ahead. You have my permission.
Im sure it was harmless.
I don’t know why you are sure of it. It could cause harm even if you can’t think of what harm it will cause.
Your brain works differently from mine. Your idea of protecting your data is to give away and even force them to collect more data on you. Mine to make them collect less data.
Your brain short circuits at sarcasm, so Im not really expecting much from it.
If you are already giving valued medical data to someone, the simple act of checking the ip of login and sending a “was this you?” email isnt even remotely the level of data loss you want to pretend it is.
Its common sense to protect your user, and your database, from phishing. If you want to genuinely claim that phishing protections for medical data is bad, by all means. You already sound like a fool, may as well set the stone.
I’m sorry, but what behavior tracking would be enabled here to detect that thousands of accounts are logging in from the same ASN that the accounts don’t identify as being in?
They have your address… They sent you the spit tube kit. and it’s probably in your profile that you willingly give them. What “tracking” is it when “hey this IP belongs to a location that’s 10000 miles away from their profile! Let’s send an email and double check!”.
hey this IP belongs to a location that’s 10000 miles away from their profile!
This means you are tracking the information that I have moved or am currently am at 10000 miles whatever place. You have no business knowing where I move to. It is kind of tracking as you are collecting more info than you need to in the name of “Security”.
If I think my data on a website is important enough I will make the password there random and complex enough not to be guessed or brute forced. I don’t need your extra tracking.
They can increase security by matching address. Sure. The can also increase security by checking everything on your pc and house to figure out if you are you. I don’t need it.
Let’s send an email and double check!.
That’s a different point. They should always provide an option for 2nd or extra authentication for people who want it. But it doesn’t need any other info than that I want 2fa.
More i
This means you are tracking the information that I have moved or am currently am at 10000 miles whatever place.
An ip lookup isn’t tracking jack shit. You are demonstrating that you don’t understand how technology works.
You furnished your address to the service (by function of how the service works), you accessed the site which exposes your IP. An IP lookup it’s tracking. If you truly believe it is… Hoo boy you should spin up an apache server and look at the logs.
An ip lookup isn’t tracking jack shit.
Sigh! now you are arguing on definition of tracking. Which is pointless as you can replace that word with whatever you are comfortable with.
You are demonstrating that you don’t understand how technology works.
Perhaps. But the since concept of ip hasn’t changed much since the internet became public it’s doubtful that don’t understand ip.
you accessed the site which exposes your IP.
Yes. Doesn’t mean you have to save my ip address that I used. Or even the general location I used it from even if it will increase security.
apache server and look at the logs.
Shrug. What does that means? You can control the info logged in server and also if you choose to keep it or classify it.
Doesn’t mean you have to save my ip address that I used.
The most basic webserver keeps access logs. It will save “this person logged in at this address” or some data about the session regardless if it’s looked back on later.
Yes. Doesn’t mean you have to save my ip address that I used.
Who the fuck said anything about saving an IP?
Or even the general location I used it from even if it will increase security.
IP lookups are not “saving your location”.
Shrug. What does that means? You can control the info logged in server and also if you choose to keep it or classify it.
No… Not at all. If you reach out to my server, my server has to know where to send the data back to. Part of this process can be an IP lookup that actually identifies where your ASN is based out of. There is no way around this… the request MUST have IP information. Nobody said shit about logging anything. And logging IPs is not required to do anything that I’ve mentioned.
Sigh! now you are arguing on definition of tracking.
No… I’m arguing pedantic shit. I’m telling you what actually happens and what the actual definition is.
Edit: To the point. I actually do IP lookups to BLOCK specific countries in my router. Using a database like maxmind you can get a general idea of location without knowing anything specific at all. So it goes 1 step further to run a check on if your current ASN is even remotely close to your known location. If not, fire off email. nothing about this requires any logging or outside information than what you already gave the company in this case. Other fields use these mechanisms that are well regulated and nobody else except for you calls this “tracking”.
The data that’s available on the hacker forum doesn’t contain the raw DNA, but that’s just a promotion to sell much bigger dataset, which the hackers claim has the DNA… https://twitter.com/mattjay/status/1710370443968856559
And people wonder why I’m paranoid about privacy…
a lot of people in these comments who live in privacy-conscious bubbles and aren’t very familiar with “normal” people
there’s also this attitude that certain users never did anything wrong. YouSureAboutThat.jpg
They never signed up for anything that compromised their privacy?
Also, we all live in abodes with wooden doors and glass windows that anyone with a rock or a stick can break into. Doesn’t mean we deserve to be murdered in our sleep.
The fact that big companies collect and sell your data is common knowledge now, definitely not something esoteric that only people in privacy-conscious bubbles know of. However, “normal” people refuse to not follow every trend or get inconvenienced.
touché
This is why you don’t reuse passwords
The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.
From the article. Way to sensationalize a title…
My uncle tried to get me to do this for his family tree project.
Super happy I didn’t cave to his persistence.
Wonder what the angle of targeting Jews is here? Are they trying to figure out why they’ve got stomach issues or something?
Wonder what the angle of targeting Jews is here?
…are you seriously asking? I can’t figure out if you’re trolling here. I’m going to go out on a limb and guess it wasn’t breached by a group of geneticists looking to cure Tay-Sachs.
I mean, targeting jews is obvious, no? Some racial purity freaks are trying to target the genetic root of a minority group.
23andMe basically drafted up a list of as many jewish descendants as they could get, which means the lunatics can use it as an easy list of targets.
Heres hoping the fuckers get caught before they can do anything with the data.
You think there’s a group that’s going to take this as a hit list?
I know shits going downhill but I didn’t think I needed to start thinking about packing bags…
I dont wanna scaremonger or anything but, like… what the fuck else would they use that data for?
As a power fantasy mostly. They might pass it around and use it to jerk each other off but not much more than that. The problem is, it’s only a fantasy until it makes it’s way into the hands of someone with the means and derangement to act on it: two qualities which, depending on where you live, can be unsettlingly easy to come by
Engineering a targeted virus?
Thankfully, thats not quite how viruses work
There’s a whole conspiracy regarding Covid that RFK Jr. is blathering about. Supposedly this data breach targeted Jews and Chinese folks. I’m assuming that it’s related in some way, but it’s not clear how.
I am a 23andMe user, and yes I voluntarily sent them my DNA sample. Shit on me all you want. You probably don’t have to live with multiple genetic conditions, chronic illnesses, and have a family history of several more.
Must be nice to be privileged with a healthy body and to get to care about privacy concerns instead wondering which genetic condition you’ll die of first.
ITT: People who have never experienced medical gaslighting before. Think about the relevance of your experiences before commenting. ITT: People who don’t live with chronic ille
I think you are also cursed with the gene that makes you a dick.
Obviously there’s good and bad reasons to get tested.
The point is to be more mindful of who you share your data with. It’s to protect yourself, not to make you feel like a fool.
Read the rest of the comments here before you comment. Everyone is bashing 23andMe users and the bubble they live in while the irony is completely lost on them.
Your so called ‘obvious reasons’ are anything but obviously to the average lemmy user who will find every excuse to feel superior about their niche privacy loving community with no clue how the real world works.
You’re excuse is such garbage it’s beyond stupid. You’ve got health concerns so you willingly gave up your privacy to a tech company… instead of going through, y’know the medical system which has checks and balances for this purpose.
You’re the people they want to be their victims. Ignorant people driven by fear.
instead of going through, y’know the medical system which has checks and balances for this purpose.
This is the single dumbest take on healthcare I have ever heard. You’ve clearly never had to deal with extensive medical issues or chronic illnesses, or you’re a straight white guy in your 30s and have the privilege of being believed by your doctor.
I’ve been forcefully misdiagnosed with ‘anxiety’ by so many doctors who wouldn’t listen to me. No one gave a shit until I threatened to report them to the medical board. That’s the only time they took my symptoms seriously and bothered to do a blood test, where they were proven wrong. No amount of sorry from them will undo the damage they’ve done.
This was one of 5 incidences where I had to advocate for my own health against the doctor’s preconceptions because theywould rather diagnose me based on my age and gender rather than my symptoms.
Medical gaslighting is a pervasive issue that disproportionately affects women, POC, young people, and LGBTQ. It’s a systemic issue that kills people through medical neglect. I would be dead by now had I not fought this hard for my own diagnoses.
The fact that you think modern health care is some pristine and fully reliable process instead of the shit show it is just speaks of how little you’ve had to deal with. Sit down and check yourself before taking about ignorance.
But… isnt that what doctors are for? Like, the people who have multiple government mandated levels of security around your data? And medical expertise in which genetic conditions you will die of first?
So, you want to blame your local physicians being incompetent for you putting your safety in the hands of less qualified people?
You arent the only victim of medical malpractice. That doesnt make it smart, sane, or even straightforward to trust a knock off elon musk with your health, that means you have to look for a competent doctor.
Is that hard? Is it scary? Yes, obviously. Welcome to the world, where scary shit happens to you for no reason sometimes. But malpractice isnt a reason to put yourself further at risk. As evidenced by the now millions of jewish patients whose safety is now likely at risk.
You don’t seem to understand what a systemic issue is if you think this is because of a few ‘local physicians’ or just one case of ‘malpractice’. If you think this is something that can be resolved from looking for ‘one competent doctor’, you have no idea how impossible it is to find a team of 1 PCP and 5 specialists who all happen to give a shit, and what to do when you need to go to the ER which is another hellhole of it’s own.
You can come back to this discussion when you show some understanding of how extensive this issue is.
I am speaking from a decade of experience trying to have a correct diagnosis. I dont know how to tell you this, but you are not the first person to have a doctor dismiss them.
Thats still not an excuse to put yourself further at risk. You can come back to this discussion when you show some understanding of how vastly serious this data breach is.
Not wanting to die of medical neglect is a reason, not an excuse.
I don’t need excuses or your permission to not kill myself.
Man, that is such a bullshit pretend nonsense claim.
Your only option, the only thing you could do, was sell your data to a data aggregator?
What a bold faced lie.
I’ve got nothing to hide
That’s not the point.
It’s a meme… people are fucking stupid and will say this every single fucking time privacy is brought up.
/s is your friend.
It takes so much work to successfully pull off sarcasm in text. I’m still working on it, it’s a craft I hope to master some day. But the fun in it is the ambiguity, so adding a /s takes all the fun out of it. But ideally only a select few get whooshed.
Honestly it has seemed like a fool’s errand to me, especially because sometimes I get wooshed, but best of luck.
Thanks /s
You’re welcome, I love you like my own child. /s
Gotcha.
since when religion is part of the DNA?
Idiots believe their personal information was safe, with a private company.
For real, they already share it with the government which is the real danger anyways.
Nononono! It’s only dangerous if your government turns fascist and tries to harm you.
Oh!
Wait a second…