23andMe to hacking victims: it's your fault because you reused passwords

Originally published at: 23andMe to hacking victims: it's your fault because you reused passwords - Boing Boing

…

The existence of scammer databases filled with poorly conceived and re-used passwords is a known problem in infosec, enough so that most companies mitigate them as best they can.

The problem here was that 23andme added a superfluous social network element to its core offering, which when combined with the above gave the criminals access to (literally) related victims for further attacks.

Were they even hacked? I mean it does sound like poor security practices from their users. No? or is there something else that the company is failing to acknowledge?

Agreed. If I understand correctly, both relations had to opt into this program.

I’ve read a couple of articles about this. Everyone says 23andMe should have done something to mitigate this but they don’t say what. What other steps could they have taken aside from forcing multi-factor authentication?

They were hacked. Most likely the “idiot re-using the bad password” was not a normal user but an employee with an elevated privilege level.

that qualifies as a hack to me… I just read every article as it was customers reusing passwords from other sites that allowed their data to be leaked.

They’re pretending that the hackers stole all the credentials one-by-one based on earlier hacked databases and built their 23andme database that way. That’s not how things work.

It could work, but it would be slow and should cause tripwire alerts (bad logins spiking, etc).

I don’t think this is accurate. Very, very few websites use 2FA to backstop this kind of attack. Could/should 23andMe have required 2FA, given the potential sensitivity of the info in their db? Arguably yes. I’m sure they considered and rejected it due to the extra login friction it creates (a bad call, in hindsight).

However, if this truly was a password reuse hack, the blame lays soley on the user. If someone leaves a set housekeys on their stoop and someone breaks into their house, you don’t blame the door lock company.

No, it doesn’t. There are server side mitigations and you can check for leaked passwords on password entry.

How is a user reusing passwords 23andMe’s fault? Yes, there are mitigations which could have been used. In my door lock analogy you’re arguing that “the home builder should have put an alarm and cameras.” How about not reusing passwords in the first place? That’s Internet 101 (or at least 102).

For any single given account, a hack due to the reuse of a password is the account holders fault.

The loss of a lot is entirely 23AndMe’s fault. You know people will reuse passwords, you know people will use weak passwords. Design for it.

You know people will reuse passwords, you know people will use weak passwords. Design for it.

Agreed.

The loss of a lot is entirely 23AndMe’s fault.

Disgree. 23andMe could have done more to save the users from themselves. This does not make it their fault.

i really doubt that hackers broke 7 million accounts one by one.

Let’s go back to your real estate example, but make it a bit more accurate.

There is an apartment building. A burglar is going along the hallways with a bunch of key rings trying keys from a key ring in each door, skipping some, but still trying a lot. For some reason he also tries some keys at a blank spot on the wall. These hallways all have cameras.

Do you blame the manager for not locking him out or calling the police?

You seem to be focused on each individual user. That’s not the scale. The scale is the system. They know about all the logins and failed logins, stop the attacker.

The hack exposed information in 6-million+ accounts but didn’t get the login credentials of all those accounts. The stolen data for all did include names, birth years, location data, and relationships/shared DNA with the holders of the 14k hacked accounts (via their social network functionality), so it’s still very bad.

They could have done more using industry infosec best practises and tools (and not using an easily machine-scrapeable or exportable social network functionality) but it’s not their fault. Okie dokey.

Nah. But I do blame the manager for installing shitty locks and passing out keys to neighboring apartments.

They should have had 2FA or at least robust password requirements. Based on the articles I’ve read, it sounds like they didn’t have strong requirements

There are ways to mitigate the stupidity of users. Pretty sure that’s about 90% of what infosec is for. Seems like 23andme didn’t bother and then allowed and encouraged data sharing of sensitive personal data in a social network type environment. Because money. There were ways to prevent this breach and even more ways to make sure the only victims were the ones reusing passwords or using easily cracked passwords. 23andme is holding some extremely sensitive information. They ought to act like it.

So some users were victimized even though they did not reuse passwords then?

Yes

Because of the way that the DNA Relatives feature matches users with their relatives, by hacking into one individual account, the hackers were able to see the personal data of both the account holder as well as their relatives, which magnified the total number of 23andMe victims.
h allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said. (23andMe declared part of its email as “on background,” which requires that both parties agree to the terms in advance. TechCrunch is printing the reply as we were given no opportunity to reject the terms.)

Blaming your customers for your poor security isn’t going to help you keep them.