If you’ve been following my Instagram, you know that I personally won’t do 23andMe. Why? I’ll paste what I wrote on Instagram rather than rewrite it, because it still holds true:
✋🏼 I personally won't send my DNA to a "fun" DNA outfit like 23 and me. If, someday, my doctor suggests I need a DNA test, will I do it? Yes... (after reading their privacy policy!!). At least there are legal protections around medical data. Not so for kits like 23 and me.
😧 Everyone has different privacy thresholds. For me, getting some information about my ancestry is not worth the tradeoff of a company like #23andme having a copy of my DNA.
😒 Did you know that, unless you explicitly opt out, 23 and Me shares your data with partners? Read it for yourself, straight from them.
🧑🏽🔬 No doubt DNA tests are a positive advancement for our society. Just be careful who you share your DNA with. And if you've already given it to them, opt OUT of sharing and/or delete your account. They claim to delete all data and the physical sample if you do this. I hope they do!
If you haven’t heard, 23andMe was hacked, which they confirmed about a week ago.
How did it happen?
The hack was a result of a credential stuffing attack, which basically means that hackers tried to log in using various usernames/passwords in an automated fashion, using scripts. This allows them to try many, many more username/password combinations than any human could ever bother typing in. Typically, the usernames/passwords that are attempted are from other credential leaks. This is a good reason why you should not use the same password across services - if it is leaked from service A, it will then work on service B, too. Remember that password security is a spectrum:
23andMe has responsibility
So far, the messaging from 23andMe has been focused on the weaknesses in usernames/passwords and lack of two factor authentication on user accounts. What sticks out to me here is how the users are basically blamed for the attack. I read, “YOU didn’t secure your account well enough!” While that is partially true, I think this attitude deflects blame from 23andMe’s lack of security best practices.
I work in tech - specifically in digital identity and cybersecurity. You should not be able to pull millions of records by compromising regular ol’ credentials. Some kind of super admin, yes - but these accounts are always secured with 2FA and would not have the type of username/password that could get cracked by credential stuffing. Credential stuffing is an extremely common type of attack. One that companies need to be prepared for. ESPECIALLY companies that store people’s genetic data.
If I’m logged in as a regular ol’ user (like what happened with this breach), why should I be able to scrape millions of records? That is not an action your typical user would ever need to do (note that most of the data compromise was from a feature called “Data Relatives”). Why was there not monitoring in place that triggered alerts about the mass increase in API calls for Data Relatives? Why was there not rate limiting in place? What 23andMe allowed was someone with the key to one room of the house access the entire house. They did not have the proper account limits in place to protect from this kind of attack, and that much is their fault, not the fault of the end user with a weak password.
What does this mean for me?
Think twice before giving your genetic information to unregulated companies like 23andMe.
Don’t use the same password over and over again. It’s impossible to remember unique, strong passwords. I use 1password to generate and store unique, strong passwords, but there are many others.
Realize that you have to take security into your own hands. Just because a company is large and profitable does not mean they have security best practices. And if they’re anything like 23andMe, they won’t even admit fault. To this day, 23andMe is saying that their system was not breached, but that individual usernames and passwords were compromised. Again - blaming the user, and not their poor monitoring and lack of response.
Stay safe out there!
Hannah
And now 23andme is bankrupt. I guess this aged well 😆