Company “23 and me” hacked. DNA information on members and relatives released to web hackers

Pablo said:
Wow. OK I will admit I put too much into your statement about no idea how it happened! You are just seeing this now as well? They never told you obviously. Total hassle, but you should change
Click to expand...

I don't do my regular banking with Truist, only the estate account and that should be getting close to the point at which I can close it out (waiting on the IRS to process returns). Only reason I'm using Truist is that my dad's accounts were all at BB&T (which became Truist) so the easiest thing to do seemed to be to set up the estate account with the same bank. Not that I want to turn this into a rant about Truist, but they also charge $5 per copy of checks that they don't make available on the website (but the bank manager can print copies inside the bank).

Horrible bank.
 
I've looked on the Ancestry.com type webpages at my family tree. Very interesting. A lot of it is incorrect but there were reasons that people lied about things back then. Just like today. My family immigrated about 100 years ago to the USA. Good luck if my grandparents or aunts/uncles had any birth certificates. I don't think those thing existed in the old country at the turn of the century. One interesting family thing is my mother had two first cousins that were twins. Unidentical. They lived their whole lives together. One got married, had kids and was very nice. The other was a bit of a bitter spinster. However, on the immigration papers, the spinster one is listed as my grandfather's daughter and the other twin is not listed on the immigration papers. But who knows what ship they came over on and how that worked. I'm sure that the family names were Americanized at immigration.

I assume that the parents that raised me are my biological parents but I've never asked. I know the dates of my birth and my parents wedding don't quite add up with a 9 month delta. Lol.
 
Leo99 said:
I've looked on the Ancestry.com type webpages at my family tree. Very interesting. A lot of it is incorrect but there were reasons that people lied about things back then. Just like today. My family immigrated about 100 years ago to the USA. Good luck if my grandparents or aunts/uncles had any birth certificates. I don't think those thing existed in the old country at the turn of the century. One interesting family thing is my mother had two first cousins that were twins. Unidentical. They lived their whole lives together. One got married, had kids and was very nice. The other was a bit of a bitter spinster. However, on the immigration papers, the spinster one is listed as my grandfather's daughter and the other twin is not listed on the immigration papers. But who knows what ship they came over on and how that worked. I'm sure that the family names were Americanized at immigration.

I assume that the parents that raised me are my biological parents but I've never asked. I know the dates of my birth and my parents wedding don't quite add up with a 9 month delta. Lol.
Click to expand...
Births, deaths, marriages in the old country were written in the local church log/records. Yes-many times birth records have been lost-but you would be surprised at whats still out there.
 
SC Maintenance said:
I hear what your saying. I knew someone who was adopted. He went looking for his birth mother and she was looking for him too. It was a big happy reunion apparently. Not sure what data source he used. Perhaps this service mentioned would work?
Click to expand...
The two big data bases Ancestry and Family Search have a function where you can exchange messages . Then you can go from there.
 
John Galt said:
From a CNN report via. Securities filing so this press release essentially comes direct from the company:

A Friday filing from 23andMe to the Securities and Exchange Commission said that about 0.1% of the company’s user accounts, or roughly 14,000, had their accounts breached by the hackers.

23andMe is standing by that number but is also now (12/5/23) telling reporters that the hackers were able to access some 5.5 million profiles that use a company feature called DNA Relatives that allows users to find genetic relatives. In addition, the hackers accessed a subset of family tree information on 1.4 million DNA Relatives profiles, the 23andMe spokesperson said in an emailed statement.

This reinforces my fear of these DNA testing companies and the data they possess. I know of a family that did this as a Holiday gift, a bit of a lark gift and lo and behold, it came back that one of the four kids was not from the father. And no, it was not an adoption, you can fill in what happened 20+ years ago….
How do you recover from that, both the kid and the family unit?

Has anyone here done DNA testing and had an unexpected finding from the results or perhaps, because of the information in the database, been contacted by someone claiming to be related.

My opinion - this DNA technology has the potential for so much good for diagnosis of medical conditions. It should have been developed. BUT the results should be be treated like medical records and kept secure.
Click to expand...

Turns out the hack was on the customer side. Reporting per the WSJ

"...The DNA test-kit company on Monday reported a hacker accessed 14,000 accounts because of password reuse, exposing information belonging to approximately 6.9 million people. The 23andMe computer network wasn’t breached and wasn’t the source of these compromised credentials, a company spokesman said in a statement. The company first disclosed the incident in October and has been investigating since then.

The passwords used to break into these accounts had most likely been stolen from other websites. Because they were reused, they also worked on 23andMe, security experts say. The type of attack is known as credential stuffing, and it puts 23andMe in the company of other major businesses who have fallen victim to the cybercrime trend, including

It isn’t uncommon to see credential stuffing used to compromise thousands of accounts, but with 23andMe, the data in question is unusual, said Ryan McGeehan, owner of R10N Security, a cybersecurity consulting firm....

..Hackers have created a variety of automated tools to test stolen passwords against new websites. They then bundle the ones that work in databases that are sold on criminal forums. That has helped feed a jump in credential-stuffing attacks over the past few years. It has also pushed many companies into new authentication techniques such as passkeys—which ditch passwords entirely—and multifactor authentication, which requires extra identity confirmation before letting someone into an account..."
 
Birth certificates as we know them today weren't very common 150 years ago. However, for people who came from a culture or religion that practiced Baptisms of newborns, those records often still exist. I have photocopies of a few that date back to the late 1860's through about 1895 from tiny towns in Italy and Sicily. Those papers were accepted by the US immigration authorities during the great migration period of the 1880's through the 1920's.
 
Pablo said:
1) Many people really don't have the truth on their ancestry. Grandma can have it wrong - told wrong, etc.
2) The accuracy on 23me is not perfect (sometimes dubious) , based on regional haplo-grouping but gets better with data/time
3) It really angers me that medical companies have so many data breaches. It's not a theory that some hackers do this for pride or vengeance, but money IS involved. Think ransom as just a forward way, or worse long term use of data.
4) It's interesting. Medical, credit unions, stores seem to be agencies that are hacked which directly impact my life. With wife and kids, I think I can count 4 maybe 5 hacked medical institutions alone. What is curious, why not more hacks of financial institutions, banks, brokerages? They must have some serious protection. Not a theory, just thinking out loud. Not political, not lewd, not religion.
Click to expand...
Traders were putting their trade servers right on the same server rack in the same data center with the stock exchange's server just to get the least amount of latency possible to win a timing edge. They also use FPGA instead of software to get things done as fast as possible to win a timing edge. What do you expect they spend on security? lobbying? lawyers?

How much do you think you are willing to pay for your own medical record? What is the worst case damage a human life is worth and how much of actual financial loss is in medical record? We already banned insurance discrimination on this so there is not much loss there. A human life is only 4M max and I think a record breach is worth no more than a few hundred bucks in class action per patient.
 
DwightFrye said:
About 20 years ago a woman came forward with a story that she had been adopted, later found out who her real mother was but the mother wouldn't reveal who her father was. Her mother made a deathbed confession and named my dad as her father. My dad died when I was a child so he wasn't around to defend himself and my siblings and I tried to make sure my mom didn't get a hint of the story before she passed away.

Fast forward to a few years ago. The woman did a DNA test on one of the popular websites and not only found out who her real father was, but found a couple of siblings from her real mom and real dad, and another one from her real mom and another guy.

It was a relief for my siblings and I but still raised the question as to why her mom named my dad as the father. We'll never know but at least the DNA test proved she wasn't our half sister.
Click to expand...
Women lying about paternity is not a recent thing.
 
Everything gets hacked eventually. South Carolina had their income tax records hacked in 2012.

"Using an email with a link encrypted with malware, cyber criminals made off with the income tax returns of 6.4 million South Carolina residents and businesses — exposing 3.6 million Social Security numbers, impacting more than three-quarters of the state’s population at the time — and 387,000 credit and debit card numbers."

www.postandcourier.com

SC's massive data breach 10 years later: Questions linger as investigation remains open

A decade after hackers made off with the income tax returns of 6.4 million South Carolina residents and businesses, an open federal investigation has left lingering questions.
www.postandcourier.com www.postandcourier.com
 
SC Maintenance said:
Everything gets hacked eventually. South Carolina had their income tax records hacked in 2012.

"Using an email with a link encrypted with malware, cyber criminals made off with the income tax returns of 6.4 million South Carolina residents and businesses — exposing 3.6 million Social Security numbers, impacting more than three-quarters of the state’s population at the time — and 387,000 credit and debit card numbers."

www.postandcourier.com

SC's massive data breach 10 years later: Questions linger as investigation remains open

A decade after hackers made off with the income tax returns of 6.4 million South Carolina residents and businesses, an open federal investigation has left lingering questions.
www.postandcourier.com www.postandcourier.com
Click to expand...
The grand takeaway here is that someone clicked on that link. It's almost always people - rarely software itself - who are at the crux of these catastrophic failures. And Windows. :^)
 
uc50ic4more said:
The grand takeaway here is that someone clicked on that link. It's almost always people - rarely software itself - who are at the crux of these catastrophic failures. And Windows. :^)
Click to expand...
Absolutely - but it likely wasn't someone who understood security that clicked the link, so why did such a person have access to the entire database. And why was the database not compartmentalized so one hack wouldn't give up the entire thing. I presume they learned much from that event, but you can't simply blame it on someone clicking a link - it was set up the wrong way to begin with.
 
SC Maintenance said:
Absolutely - but it likely wasn't someone who understood security that clicked the link, so why did such a person have access to the entire database. And why was the database not compartmentalized so one hack wouldn't give up the entire thing. I presume they learned much from that event, but you can't simply blame it on someone clicking a link - it was set up the wrong way to begin with.
Click to expand...
"Someone clicked the link" was an example of why it is almost always *people*, not software. It is 100% someone who doesn't know a thing about "computers" who'd fall for the social engineering tactics of a sophisticated bad actor.

Your follow-up questions underscore that point. Why did Joan in HR who clicked on a link for a cheap cruise sent to her work email have access to [some given important piece of infrastructure]? Because some database or systems admin was inattentive. (That, too, is an example: I do not know anyone named Joan.)
 
You must log in or register to reply here.

Similar threads

supton
AT&T Hacked?
2 3
Replies
41
Views
1K
2009Caraman
OVERKILL
Tapo (TP-Link) Smart Bulbs and apps can be hacked to compromise your home network
Replies
14
Views
513
OVERKILL
Brons2
School me on foreign property ownership, from a USA perspective
Replies
13
Views
878
cptbarkey
M
New Member, Power System Operator, AMA
2
Replies
34
Views
1K
MVAR
OVERKILL
Ivanti VPN appliance breach hits critical mass
Replies
5
Views
607
PandaBear
Back
Top