
from the remember:-they-can't-use-what-they-don't-have dept.
Hackers have been able to gain access to personal information from about 6.9 million users of genetic testing company 23andMe, using customers' old passwords:
In some cases this included family trees, birth years and geographic locations, the company said.
After weeks of speculation the firm has put a number on the breach, with more than half of its customers affected.
The stolen data does not include DNA records.
[...] As was first reported by Tech Crunch, the company has acknowledged that by accessing those accounts, hackers were then able to find their way into "a significant number of files containing profile information about other users' ancestry".
The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the sprawling family trees on the website.
The stolen data includes information like names, how each person is linked and in some cases birth years, locations, pictures, addresses and the percentage of DNA shared with relatives.
I'm with Bill Burr on this.
See also: 23andMe Says Private User Data is Up for Sale After Being Scraped
Related Stories
Records reportedly belong to millions of users who opted in to a relative-search feature:
Genetic profiling service 23andMe has commenced an investigation after private user data was been scraped off its website
Friday's confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users. The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe's CEO was aware the company had been "hacked" two months earlier and never revealed the incident. In a statement emailed after this post went live, a 23andMe representative said "nothing they have posted publicly indicates they actually have any 'health information.' These are all unsubstantiated claims at this point."
23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.
[...] The DNA relative feature allows users who opt in to view basic profile information of others who also allow their profiles to be visible to DNA Relative participants, a spokesperson said. If the DNA of one opting-in user matches another, each gets to access the other's ancestry information.
Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch:
"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.
[...] But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe."
"Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures," the letter reads.
Zavareei said that 23andMe is "shamelessly" blaming the victims of the data breach.
"This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform," Zavareei said in an email.
"The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever," said Zavareei.
Previously:
- 23andMe: Profiles of 6.9 Million People Hacked
- 23andMe Says Private User Data is Up for Sale After Being Scraped
Genetic information and ancestry reports of U.S. citizens were among the information stolen in the cyber attack:
23andMe proposes to compensate millions of customers affected by a data breach on the company's platform, offering $30 million as part of the settlement, along with providing users access to a security monitoring system.
The genetic testing service will pay the amount to approximately 6.4 million American users, according to a proposed class action settlement filed in the U.S. District Court for the Northern District of California on Sept. 12. Personal information was exposed last year after a hacker breached the website's security and posted critical user data for sale on the dark web.
[...] According to the settlement proposal, users will be sent a link where they can delete all information related to 23andMe.
[...] In an emailed statement to The Epoch Times, 23andMe Communications Director Andy Kill said that out of the $30 million aggregate amount, "roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage."
Also at USA Today, Fox Business and The Verge.
Previously:
- 23andMe Tells Victims it's Their Fault that Their Data was Breached
- 23andMe: Profiles of 6.9 Million People Hacked
- 23andMe Says Private User Data is Up for Sale After Being Scraped
Since it was founded nearly two decades ago, 23andMe has grown into one of the largest biotechnology companies in the world. Millions of people have used its simple genetic testing service, which involves ordering a saliva test, spitting into a tube, and sending it back to the company for a detailed DNA analysis.
But now the company is on the brink of bankruptcy. This has raised concerns about what will happen to the troves of genetic data it has in its possession.
The company's chief executive, Anne Wojcicki, has said she is committed to customer privacy and will "maintain our current privacy policy".
But what can customers of 23andMe themselves do to make sure their highly personal genetic data is protected? And should we be concerned about other companies that also collect our DNA?
[...] 23andMe has had a rapid downfall after the 2021 high of its public listing.
Its value has dropped more than 97%. In 2023, it suffered a major data breach affecting almost seven million users and settled a class action lawsuit for US$30 million.
Last month its seven independent directors resigned amid news the original founder is planning to take the company private once more. The company has never made a profit and is reportedly on the verge of bankruptcy.
What this might mean for its vast stores of genetic data is unclear.
Previously:
- 23andMe Proposes $30 Million Payment for Data Breach
- 23andMe Tells Victims it's Their Fault that Their Data was Breached
- 23andMe: Profiles of 6.9 Million People Hacked
- 23andMe Says Private User Data is Up for Sale After Being Scraped
(Score: 5, Informative) by Tork on Friday December 08 2023, @12:39AM (4 children)
So... yeah, they want the profit but not the responsibility... and this is about a fair chunk of the information that we use to things like apply for credit cards.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by RS3 on Friday December 08 2023, @05:18PM (3 children)
I'm not a lawyer, but my brother, who did this DNA thing a few years ago, is a lawyer. I need to get his thoughts on this.
But it seems to me that a company's change to their policies should not affect an existing contractual relationship. I know pretty much all companies like to put in a clause saying "we reserve the right to change these terms at any time" but that crap should not hold up in court. If it does, our "system" is much worse than I already fear.
(Score: 2) by Reziac on Saturday December 09 2023, @02:52AM (2 children)
And my first thought was... the genetic data is processed in China. Explain to me where the expectation of privacy was in the first place??
Unfortunately, yeah, most people would have no such thought, and would expect better. Terms of Service or no.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by RS3 on Saturday December 09 2023, @03:02AM (1 child)
I didn't know that. That's horrific.
Ever read a "terms of service" or "privacy agreement"? They always say they "value your privacy", which means your private data has value. But worse, they also always say "we may share your data with our "trusted partners". WTF!! Who are they? What are their privacy policies?
I don't know what it's going to take, but I hope I live to see the day when governments start passing extremely strong privacy laws with large criminal penalties for lax safeguards. Hopefully it'll discourage most collection and storage of our info.
Brother reported his 20andMe account wasn't one that was hacked, and from 23andMe:
So I asked him if his (and mine) might have been scooped up with someone else's that was hacked. Haven't heard back yet...
(Score: 3, Insightful) by Reziac on Saturday December 09 2023, @03:44AM
And I can't see governments doing any such thing. They're more than happy to have everyone else scooping data, so they can buy said data without violating any "No Snooping" laws. More likely we'll get laws stating that it's A-OK to do so.
Word from disparate sources (so likely to be somewhat true) is that China is interested in pathogens that target by genome, hence....
And there is no Alkibiades to come back and save us from ourselves.
(Score: 4, Touché) by istartedi on Friday December 08 2023, @12:58AM
Just oh-so shocked that people gave their data to a Si-Valley company where they "move fast and break things" and this happened. Sure they are always looking for ways to monetize data, break the law without actually facing the consequences, and turn a fast buck but they're such good people and I think they all use Apple computers so what could possibly go wrong? How could this happen?
/sarcasm.
Appended to the end of comments you post. Max: 120 chars.
(Score: 4, Funny) by crafoo on Friday December 08 2023, @02:25AM (1 child)
oh what a surprise. hacked you say? wow. how did that ever happen WOW I can't imagine wow just wow.
(Score: 2) by turgid on Saturday December 09 2023, @11:56AM
I blame computers. It's all their fault. And the Intertubes. Work of the Devil, I tell you!
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 5, Insightful) by Ox0000 on Friday December 08 2023, @03:03PM (4 children)
If you have never used or even touched this service and yet have even only one relative that has used it, distant or not, then you too are affected. Because that's how genetics works.
This is the problem with people not understanding the implications of handing data out willy-nilly in exchange for trinkets.
Some people take fiction ("1984", "Gattaca", ...) and assume it to be an instruction manual, rather than the warning they were intended to be. What is there not to understand about the word "dystopian"?
(Score: 3, Insightful) by RS3 on Friday December 08 2023, @05:14PM (3 children)
Yeah, my full blood brother did it about 5 years ago, so I'm as good as scooped up in this mess. And yes, I'm very unhappy about this. Not sure what to do. Moving to another country and changing my full identity seems in order.
(Score: 3, Interesting) by Reziac on Saturday December 09 2023, @02:55AM (2 children)
My aunt did the basic test some years back. Learned absolutely nothing we didn't already know. "You are 100% Norwegian!"
But yeah, the more-extensive tests and relationships are starting to become a problem. I vaguely recall a few crimes have been solved (was one a murder? I forget) thanks to this. No,. assume they don't always get it right... and consider how small the profile data really is... what is the incidence of false positives and negatives?
And there is no Alkibiades to come back and save us from ourselves.
(Score: 3, Funny) by RS3 on Saturday December 09 2023, @03:27AM (1 child)
Ah, everything makes sense now. Norseman. Viking conqueror. Excellent swordmakers. Runes and stones and such. :)
(Score: 3, Funny) by Reziac on Saturday December 09 2023, @03:47AM
LOL. And the other side are basically Scots and Normans. So it's all one. :D
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Isia on Saturday December 09 2023, @05:57PM (4 children)
Once collected, DNA data must be protected for the rest of your life and that of your children.
The genes of the dumbest of the dumb must be removed from the human gene pool.
Belief in a higher being is for the stupid, the weak and the cowardly.
(Score: 2) by turgid on Saturday December 09 2023, @06:01PM (3 children)
What are these hieroglyphs in your message?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by Isia on Saturday December 09 2023, @06:14PM (2 children)
Get a browser with a working UTF-8 output.
Belief in a higher being is for the stupid, the weak and the cowardly.
(Score: 2) by turgid on Saturday December 09 2023, @06:31PM (1 child)
I have.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by Isia on Saturday December 09 2023, @06:38PM
https://paste.ec/paste/pdvOvrCF#-Rh7g5oMHdfpYaczcEtd9ld0NvRA2pWx+IZFBhYr5TK [paste.ec]
Belief in a higher being is for the stupid, the weak and the cowardly.