Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • EndOfLine@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    3
    ·
    11 months ago

    23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users

    I’m honestly asking what the impact to the users is from this breach. Wasn’t 23andMe already free to selling or distribute this data to anybody they wanted to, without notifying the users?

    • hoshikarakitaridia@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      30
      arrow-down
      1
      ·
      edit-2
      11 months ago

      That’s not how this works. They are running internationally, and GDPR would hit them like a brick if they did that.

      I would assume they had some deals with law enforcement to transmit data one narrow circumstances.

      I’m honestly asking what the impact to the users is from this breach.

      Well if you signed up there and did an ancestry inquiry, those hackers can now without a doubt link you to your ancestry. They might be able to doxx famous people and in the wrong hands this could lead to stalking, and even more dangerous situations. Basically everyone who is signed up there has lost their privacy and has their sensitive data at the mercy of a criminal.

      This is different. This is a breach and if you have a company taking care of such sensitive data, it’s your job to do the best you can to protect it. If they really do blame this on the users, they are in for a class action and hefty fine from the EU, especially now that they’ve established even more guidelines towards companies regarding the maintenance of sensitive data. This will hurt on some regard.

      • givesomefucks@lemmy.world
        link
        fedilink
        English
        arrow-up
        20
        arrow-down
        3
        ·
        11 months ago

        If they really do blame this on the users

        It’s not that they said:

        It’s your fault your data leaked

        What they said was (paraphrasing):

        A list of compromised emails/passwords from another site leaked, and people found some of those worked on 23andme. If a DNA relative that you volunteered to share information with was one of those people, then the info you volunteered to share was compromised to a 3rd party.

        Which, honestly?

        Completely valid. The only way to stop this would be for 23andme to monitor these “hack lists” and notify any email that also has an account on their website.

        Side note:

        Any tech company can provide info if asked by the police. The good ones require a warrant first, but as data owners they can provide it without a warrant.

        • LUHG@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          2
          ·
          11 months ago

          That’s not 23 and me fault at all then. Basically boils down to password reuse. All i would say is they should have provided 2fa if they didn’t.

          • 52fighters@kbin.social
            link
            fedilink
            arrow-up
            5
            arrow-down
            3
            ·
            11 months ago

            All i would say is they should have provided 2fa if they didn’t.

            At this point, every company not using 2FA is at fault for data hacks. Most people using the internet have logins to 100’s of sites. Knowing where to do to change all your passwords is nearly impossible for a seasoned internet user.

            • TORFdot0@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              11 months ago

              The sad thing is you have to balance the costs of requiring your customer to use 2FA with the risk of losing business because of it and the risk of losing reputation because your customers got hacked and suffered loss.

              The sad thing is some (actuall most) people are brain dead, you will lose business if you make them use a complicated password or MFA and it puts them in the position to make a hard call.

              They took the easy route and gave the customer the option to use MfA if they wished and unfortunately a lot of people declined. Those people should not have the ability to claim damages (or vote, for that matter)

              • QueriesQueried@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                11 months ago

                I feel like that argument could be made for some things, but inherently cannot apply to companies involved in personal, genetic, or financial information.

        • Zoolander@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          11 months ago

          The only way to stop this would be for 23andme to monitor these “hack lists”

          Unfortunately, from the information that I’ve seen, the hack lists didn’t have these credentials. HIBP is the most popular one and it’s claimed that the database used for these wasn’t posted publicly but was instead sold on the dark web. I’m sure there’s some overlap with previous lists if people used the same passwords but the specific dataset in this case wasn’t made public like others.

    • Hegar@kbin.social
      link
      fedilink
      arrow-up
      5
      arrow-down
      3
      ·
      edit-2
      11 months ago

      I’m honestly asking what the impact to the users is from this breach.

      The stolen info was used to databases of people with jewish ancestry that were sold on the dark web. I think there was a list of similar DB of people with chinese ancestry. 23andme’s poor security practices have directly helped violent white supremecists find targets.

      If you’re so incompetent that you can’t stop white supremecists from getting identifiable information about people from minorities, there is a compelling public interest for your company to be shut down.

        • Catoblepas@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 months ago

          Why do you think someone would buy illegally obtained lists of people with Jewish or Chinese ancestry? And who do you think would be buying it?

            • Catoblepas@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              11 months ago

              Scammers would buy all info, not specifically targeted to people of Jewish or Chinese descent. That’s not what’s being sold.

              Who do you think would want only information about people with Jewish or Chinese ancestry, and why?

              • NoIWontPickaName@kbin.social
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                11 months ago

                OK you’re gonna have to give me a link to what you’re talking about. It feels like you are being specific, and I am being generic.

                  • NoIWontPickaName@kbin.social
                    link
                    fedilink
                    arrow-up
                    2
                    arrow-down
                    1
                    ·
                    11 months ago

                    In this case, I think it is more likely to be some type of Arab major nation, for the Jewish one, and I don’t know about the Chinese.

                    What I do know is there pretty much every white supremacists I have known has been one of the white supremacist stereotypes to a T.

                    Anything higher level than that it’s just conspiracy theory level on my part at least with that one information point.

    • LanternEverywhere@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      11 months ago

      I would guess (hope?) that the data sets they sell are somewhat anonymized, like listing people by an i.d. number instead of the person’s name, and not including contact information like home address and telephone number. If so then the datasets sold to companies don’t contain the personal information that hackers got in this security breach.