23andMe's blame is an obfuscation of the problems which underlie this situation.

1. There is the matter of having insufficient granularity in their sharing options within the DNA Relatives program. It comes with two general levels, which is not enough.

2. 23andMe limits one to seeing the closest 1500 matches who have opted-in to DNA Relatives. That would have allowed a hacker to collect data on most people in the database despite having only a few thousand compromised accounts. (Haplogroups, ethnic origins predictions, names, profile data, a list of relatives, and information on geographic origins.)

3. The 1500 match limit would be helpful, in theory, however for some time (recently) it was possible to see profiles beyond those 1500 matches. I'm not certain if these were limited to only those who shared matching DNA segments but who fell outside of the 1500 match limit. And I can't be certain if this was part of the method exploited by these malicious actors.

> If you choose to participate in the DNA Relatives feature, you have multiple privacy options to suit your individual preferences. For complete privacy, you can opt out of DNA Relatives entirely.

How is a feature opt-in if you need to opt-out to get "complete privacy"? What does complete privacy mean in this case and how does it compare to privacy that you can reasonably expect?

I call bullshit on their statement that the feature is opt-in.

But "opt in" and "opt out" as verbs mean "choose to/not to participate". So you can in fact "opt out" of an "opt-in" feature. It means choosing to keep the default of not opting in.

You could rephrase the 23andme statement to be something like “users of this feature can choose from a range of privacy settings. For complete privacy, do not use this feature (which is the default setting).”

Karma seems to always work things out.

Technically, 23andme is also pretty bad, which is hard to understand given that they employ very competent people and they are well funded. Seems like a space ripe for disruption. Their biggest competitor, DecodeME, never really aimed at B2C and just used customers to harvest data, then sold to a pharma.

23andme genetic risk scores are mediocre at best. Promethease makes better predictions. For example, in my case I have a high risk MHC allele, which is both trivial to predict and well understood since the 1980s. Never popped up on their reports, yet it is the first item you see if you feed your 23andme raw data to Promethease, or if you analyze the data yourself.

Back then, few people had the mindset of, "if they own my data, they own me." But we're starting to see it take hold.

Your would-be future employers may reject you because of this data. Why hire someone with a higher risk of certain diseases or disables? It'd be illegal, but companies don't care about breaking the law if it's profitable and it'd basically take a whistleblower for anyone to know it happened. They certainly won't tell you that's why you weren't hired.

You could be denied housing or be targeted by extremists. More likely though, you'll be targeted by pharmaceutical companies. If the police didn't already have a copy of your DNA on file you might now have a place in every police line up, in any state in the US, for every crime committed where DNA evidence is collected. You could get wrongly flagged as a match through human error or statistics but either way it'll be on you to hire the lawyer who will have to prove your innocence.

We're moving toward a digital caste system (several really) where the data governments and corporations have on you will determine what you're allowed to do, how much you'll pay for things, and what opportunities you'll have. Every scrap of data you surrender will be used against you by anyone willing to pay for it, used in whatever way they think will benefit them, at any time, and you'll probably never even realize what happened. Just like right now, where companies don't tell you that they used your personal data to determine how long to leave you on hold. There's no telling what kinds of harms this could bring you, and there's no taking your data back to prevent any of it either.

I hope that data never comes back to haunt you. I'd sure hate to need to count on that never happening though.

Do you really think a judge would allow a guilty verdict based on stolen genetic data obtained from a hacker?

Do you really think braindead landlords and HR people would make decisions based on Promethease or whatever future tool replaces it?

Monetarily the genetic data is marginally valuable at best, which is the same reasons 23andme revenue comes almost entirely from novelty-seeking consumers rather than industry.

It doesn't really matter if you're the guy who gets arrested for riding his bike (https://www.nbcnews.com/news/us-news/google-tracked-his-bike...) or the guy who gets arrested because of his DNA (https://www.science.org/content/article/forensics-gone-wrong...) or the guy who gets arrested due to facial recognition (https://www.cnn.com/2021/04/29/tech/nijeer-parks-facial-reco...) it's going to suck for you either way. They're all just different types of ammo that will eventually be used against you somehow or other.

If there’s any reason not to care, it’s not the lack of impact, it’s the impossibility of securing the data. I could sit here all day and convince you that you should care and then your cousin would get a dna analysis done and that would ultimately make all your caution mostly irrelevant. The only effective way to ensure genetic privacy is a legislative effort to control access to genetic databases, trying to avoid being put in such a database is only going to slow down how fast this happens.

Running -80C freezers is not cheap! I have 3 -80C freezers in my lab, those large chest-freezers, and each uses 22 kWh per day for a total of 66 kWh per day. Apparently the average US household consumes 29 kWh per day, so we use up 2 houses per day.

Our freezers certainly don't hold the 14 million samples 23andMe supposedly has, more like in the low thousands. They'd need the power-usage of a city to keep all those samples OK!

Just remember that no matter who in charge you think is neutral or bad or great, things change, attitudes change, shit happens (remember the Patriot Act?)...

It isn't paranoid to say 'I don't trust the future, let's act cautiously instead of frivolously with things that have the potential to be extremely valuable to me, extremely impactful to society, and in which currently sits the greatest unexplored potential of this generation'.

But ok. Next time you go in for surgery tell the doc not to wash their hands because you aren't a scaredy cat.

Refusing to willingly take stupid risks is different than trying to live a life without them at all.

Google is pretty good at security, no?

https://cloud.google.com/blog/products/management-tools/lear...

I'm not particularly worried about Google stealing my credit card number and making fraudulent purchases. But I am worried about criminal organizations doing this.

There's so much FUD on HN about big tech companies, but I'm skeptical that their wickedness actually lives up to the hype. I suspect it is more of a clickbait miasma (journalists hate Google because they took revenue from the media industry) than anything based in fact. Google provides free and useful products (Google Search, Gmail, Android) to people across the world. Billions of people use this stuff voluntarily -- why?

If Google is "about as user hostile of an organization as there has ever been", it should be easy for you to come up with at least 3 examples off the top of your head (no searching for "14 ways Google is evil" listicles) of them being at least as nasty (on a per capita basis relative to the population of people they have relationships with) as the literal mafia. It should be no trouble at all. So, could you please do that for me?

My take is, if targeted advertising is the biggest thing you're worried about in terms of cybersecurity, you are probably doing reasonably well at staying secure.

I also think we can learn a lot about security from Google even if they comply with federal court orders requesting user data. "Willingness to comply with federal court orders" and "competence at securing data against cyberattacks" are two different things.

>Have you ever seen security done right anywhere? In my experience, it's always the bare minimum.

I think there's a lot of ground between doing the bare minimum for security and hardening your organization against the NSA. Every step towards greater security is a step I support, even if your organization isn't able to reach the "hardened against the NSA" level.

I'm happy for you if you want to harden yourself against the NSA, but I dislike black-and-white thinking. I care about harms to users which come from non-NSA threats too. Case in point: the original post about hackers selling 23andme data -- presumably to clients who are not the NSA, in some cases.

If every discussion of how to improve security gets derailed into a discussion of how evil the NSA is and how practically no one is secure against them, then organizations will continue to do security badly, and we'll see more breaches like this 23andme breach. Fatalism is a self-fulfilling prophecy. I see it every day here on HN.

https://www.zdnet.com/article/google-the-nsa-and-the-need-fo...

To break the cycle, it helps to share concrete evidence of Google misbehaving rather than just presenting it as a fact that everyone knows. You get what you incentivize. If the feeling that Google sucks on privacy isn't linked to specific Google misbehavior whenever it is brought up, Google execs will correctly realize that users will feel the same no matter what decisions they actually make.

As a concrete point for discussion, in the zdnet article it states:

>After the news about NSA snooping first broke over the summer, Google decided it was time to start encrypting its datacenter-to-datacenter communications.

Is there an analogous security story from more recently where Google didn't try to address the problem in a similar way?

One thing I've come to realize over the past couple of decades is that with internet/tech/VC startups in particular, the statements they make about goals, philosophy, core values, and ethics are subject to change as needed to secure more funding, increase revenue, or in case of acquisition.

You really cannot trust what any company says until they've been in business at least ten years with an unbroken record of responsible, trustworthy operation. And even then it can all change with a merger.

I would, however, love to send my DNA to a company if they could provide the results without knowing any information about me whatsoever. For instance: I would be more than willing to buy the kit with cash and send it back with a burner email. Has anyone heard of such a service?

The link between 23andme and Google is tangential at best. Anne Wojcicki and Sergey Brin were married and that’s it, but they are completely two different people.

I have no idea how you’d ever consider 23andme a reputable company. Reputation comes from 20+ years of history — your actions, not what you say. 23andme is not even 20 years old yet — how can you trust something that young?

People have been screaming this from the rooftops even back then.

Why? Because there's no telling what happens to it. It's a failure of judgement to believe that just because a company is reputable today that it will be reputable tomorrow. Companies change owners, they change board members, they get bought and sold. And _hacked_.

So let's stop this nonsense of giving everyone a free pass because it was a "solid, reputable company". Maybe we can give grandma a pass, but someone on a technically minded forum such as HN should know better.

https://www.snpedia.com/

I think there's plenty of room for a new competitor to make money, but you can bet that any similar service is going to be just as bad for people's piracy and security. Nobody is going to collect and store that kind of data without either selling it or being forced to turn it over.

If you had not mentioned this i would have thought they weren't testing people at all.

Basically you either have hot backups you can delete from (this is bad for obvious reasons), or your backups expire in a given time (this is most common), or you have each record encrypted with an encryption key that is saved in other ways so you only have to destroy those to make the data irretrievable.

Of course, that system has to be backed up, etc, etc.

My theory is that you’re making a concession somewhere in the backups to a separate keyring system. Either there is no cold backup, or you don’t do cold backups at all, or your cold backup is actually semi-warm and needs to be hooked up to a system intermittently to be reconciled against production (in which case, the backups need backups to protect against a failure on the reconciler system.) The onus is on the answerer to tell me how they would avoid one of those concessions. Respectfully, anything else/less is just fluff like, “it’s totally possible.”

https://www.forbes.com/sites/nicolemartin1/2018/12/05/how-dn...

Because it seemed harsh to me, maybe I don't care about them security of some data and so use a weak password; that's on me, surely?

Based on the feedback I hear from my non-tech friends and family, not allowing them to use their single password used for everything would be a good way to exclude those folks from using whatever service you're trying to sell them.

Then again we walk about touching things, leaving convenient DNA samples for anyone to collect throughout the day. It’s only because sequencing is relatively high cost at present that we have the illusion of privacy. Once we go in equivalent terms from mainframes to single board computers in the DNA world, then anyone can pretty much have at your personal genome.

Would love to see how the criminal forensic science guys adapt their narrative to this impending reality.

They are just lying, and you know they know they are doing something unethical, because they wouldn’t need to make up nonsense phrases otherwise.

I only know the meaning where it is a deliberate thing to attract bad actors. Is the entire company not meant to provide genetic information?

They can be unavoidable but need to be well protected. Most companies fail at this.

All it takes is one employee to pip install the wrong library or fall victim to a phishing attack or 3rd party vendor attack and its over. And on a long enough time scale, it happens.

https://en.wikipedia.org/wiki/Honeypot_%28computing%29

TL;DR: A honeypot is like a bait car in a police sting operation; It's something that looks like a vulnerable system with something of value to attackers, but in reality is a fake meant to catch intruders or collect data on them.

It sucks since I have zero trust that they would actually delete my data if I asked them too, and even if they do is that data still living somewhere fed into some model or research or whatever.

I hate to say that there is a part of me that kinda doesn't want to know if my data is a part of this, this just feels different than a credit card or some shopping data leaking.

Even worse since I have not gone to 23andme in a while, I feel like this was likely also before I cared about proper password security so it would not surprise me.

My data is probably in this breach too, and I am not going to waste one second of my life on regret over it.

Stay tuned to find out if you get something from the class action lawsuit. Like the experion hack, you may at least get an interesting coffee table artifact when they mail you a pathetically small check.

Maybe this doesn’t matter today but who knows what it’ll be valued at 50 years from now?

Don’t upload your saliva to the internet folks.

Seems like there is at least some value.

But let's wait until it's clear whether raw data was actually leaked.

I remember a few years ago there was a button to download raw data.

So if you can log in you can just download.

What we know thus far is that the malicious persons who compiled these datasets are scraping user profiles of DNA Relative matches who are related to the accounts which they were able to directly compromise (likely as a result of password reuse). The posters claim to have accessed around ~7M profiles, which means the lower limit for directly compromised accounts is ~4700, although likely much higher (maybe a factor of 10?), given the overlap in match lists, and provided that their boasts are true. So that's potentially ~5000-50000 profiles.

For those directly compromised accounts raw data could be downloaded. For profiles scraped, it would not be feasible to obtain raw data. However it is possible that partial genetic sequences might be assembled for matches. This was at the core of security researchers' investigations into GEDmatch a few years ago [0]. 23andMe does not face the same vulnerability, however with enough compromised accounts it is likely possible to infer a modest proportion of the DNA sequences of profiles which are known to match.

[0] https://www.washington.edu/news/2019/10/29/genetic-genealogy...

If you call criminal convictions "little more", sure.

Many people consider that a good thing, but I'm not talking about moral valence or vibes - the point is they are an industry supplier of PII that sends people to jail.

Your argument only makes sense if you believe you are innocent of all present and future crimes, which is an impossible fact to know by the very fact that you do not know the laws in the future.

Your last sentence is a counter-argument against excuses for surveillance. "The argument 'you have nothing to worry about if you did nothing wrong' means you think you know what laws in the future will be like." It's inappropriate here because we're not talking about surveillance; we're talking about people who willingly gave out their genetic data to some company. The company did not divulge the data, so this discussion is not about privacy and ethics. Maybe don't tell Facebook everything there is to know about you? Maybe don't send genetic samples to whoever to learn random nonsense that doesn't matter about your ancestry? If you do and it leaks, TS?

pretty bold claim -- as with any additional justice element the innocent will be trampled to some degree.

Here's the thing : it doesn't just open up criminals for prosecution, it also opens up the 23andme population to an even larger arrangement of possibilities for self-incrimination and 'incorrect or misdirected pursuits of justice'.

It's nice that a well known murderer was found out, but the reality of the situation is that we likely wouldn't hear very loudly the stories of innocent folks with cases mishandled by a law enforcement bureaus that were enabled by 23andme or similar services. It looks bad on the law enforcement agencies and it looks bad for the corporation.

I don't think so. How would that even work? It's not much different from framing someone of a crime just by knowing their blood type.

>we likely wouldn't hear very loudly the stories of innocent folks with cases mishandled by a law enforcement bureaus that were enabled by 23andme or similar services

Nah. Let's suppose that someone made a typo and Mr. Buttle is accused of committing the crime Mr. Tuttle, who deposited his genetic material, committed. While the Buttle-genome link is a useful piece of evidence, it's on the judge to request a saliva sample from Mr. Buttle to ensure a trustworthy source of information. If he doesn't, well, it sucks for Mr. Buttle that he got a lazy judge, but it's not on the company. The person who wrote down the name could not have known that information would at some later point be misused to lockup an innocent man.

Honestly, some of these responses are so strange. It's like these people don't understand that they don't live completely by themselves and that the actions of other people affect them, regardless of what technology exists.

https://www.thepmfajournal.com/education/medico-legal-forum/...

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4581010/

Now the chances of your DNA being at the scene of a serious crime and you being convicted a a result of a data breach are fairly remote, more the stuff of crime fiction as entertainment. But strange things do happen:

https://daily.jstor.org/forensic-dna-evidence-can-lead-wrong...

I don't see what the existence of the database changes. With or without it there are ways by which you can be linked to a crime you had nothing to do with, and it doesn't seem like it can't be used for anything other than quickly getting a list of people who might have been at a crime scene. The article you linked is not about DNA databases, it's about how DNA evidence is misused by law enforcement. All it says about DNA databases is that black people are over-represented in them.

Sorry your judicial system depends on the savviness of random idiots off the street, but it has nothing to do with whether companies like this one exist.

But I registered under a false name, gave the test kit to my dad, and had him test one of my aunts too.

So it wasn't as exact but it was good enough to sate my curiosity.

Everything gets hacked sooner or later. A famous hacker once said that you should assume that everything you say or write will one day be public information.

Edit: And before anyone says "how could you do that to your father", if you knew him you'd understand. He's practically off grid and he's going to die soon, the aunt is already dead.

Do you mean like for drug discovery and other medical research? Why would that be a bad thing?

But it still removes my ability to delete my data, especially when 23andMe has proven that they are not properly safeguarding this data.

Also me donating this data to a research organization vs being lured in by 23andMe's marketing are drastically different things.

Excerpt for the second part:

> To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

So they don’t call for an exact probability, but if you can prove you did appropriate threat modelling and put controls in place to counter those threats you should be fine. You are literally doing more than most companies if you manage that.

I've had someone give one as a gift, so glad I didn't do it.

Not that i really care, you're not going to find a password or my first pets name in my DNA.

My mom did.

She never asked me, or anything. But half my material is right there, in an irrevocable database, now leaked online for the world. And I have no genetic rights or any claim, even though half is explicitly mine.

Honestly I am not sure where I stand on that issue. Or rather it's probably to do with society wide regulation not individual rights ...

If a stranger had asked OPs mom for OPs phone number out of the blue, there are many moms that wouldn't share a PHONE NUMBER without asking the phone number holders permission.

But fewer would ask their relatives if it's ok to stick a decent portion of their DNA into a database.

It should be obvious that, to the OP, the important part is the 1% that is unique, not the 99% which isn't.

Should mom not be allowed to give out her number. She had it first. Or should mom need to clear every use of her data with her kids because it might affect them.

Should OP get mom’s permission before emitting genetic material on a lover because that material is half of mom’s dna?

I think this is not a path that can be exactly logiced out, so I stick with “do what you want with your data.”

Even stalking LEO ex boyfriends | former husbands mostly left a paper trail if they requested a DNL number.

Anger is better directed at legislators for not regulating these sorts of businesses under HIPPA and similar laws. Your mom’s medical records also contain a bunch of sensitive information about you and yet you probably don’t get mad each time she visits the doctor despite the privacy risk this incurs.

Treating 23andme like a lighthearted way to enhance your genealogy hobby or whatever is actually so fucking wild. This shit is not a game, only a SMALL fraction of the victims are 23andme’s customers. 23andme’s responses to me are proof enough the entire company should be shuttered because they are grossly negligent and don’t understand what business they are in or what they just did or how they fucked up.

And digging around the breachforums DOT is/Thread-23andMe-Great-Britain-Originated-4M-Genetic-Dataset , you see stuff like

"The data includes information on all wealthy families serving Zionism. You can see the wealthiest people living in the US and Western Europe on this list."

This link combined with the 2nd one doesnt look good in any stretch of imagination. These are antisemitic leaks intended for harassment and/or hit lists. It definitely looks BAD. But again, it's already in the world now.

-------------------------

Here's the schema of said data ( breachforums DOT is/Thread-DNA-Data-of-Celebrities-1-million-Ashkenazi-REPOST ):

profile_id; account_id; first_name; last_name; sex; birth_year; has_health; ydna; mdna; current_location;region_1;region_2;region_3;region_4;region_5;subregion_1;subregion_2;subregion_3;subregion_4;subregion_5;population_id1;population_id2;population_id3

Fuck these guys. Fuck their bullshit misdirection.

This is the equivalent of corporate doxxing. Until individual execs in these mega-corps that piss in the face of their users bear individual consequence for this type of thing it’ll keep happening.

Because until then there’s no requirement to actually really give a shit. We’re grist in the money mill.

The lack of consequence has me seething more than the breach.

> Edit: the victim shaming in comments here is staggering.

And while 23andMe claims that a credential stuffing attack was at the root cause of this leak, the hacker(s) who first posted about this leak on Hydra Market over 2 months ago claim that they simply used (abused?) an API that 23andMe offered to their academic and research collaborators.

The hacker(s) claimed to have 300TB of data, including raw data, but have not proven that the scope of the attack was that large. But if their claim is true, then the breach was definitely not due to a credential stuffing attack, but fits well with the hacker(s) claim of using an API.

So, if the extent is as claimed by the attacker(s), then it is much more likely that one of 23andMe's API was used to scrape everyone's data, not a credential stuffing attack. Either one of their collaborating researchers got hacked, or they had (have!?) an access control vulnerability in their API which allowed the attacker to again scrape everyone's data.

I cannot find much information about the API 23andMe offers, but I did find one on RapidAPI (https://rapidapi.com/23andme/api/23andme), and indeed if there was some sort of access control vulnerability or some sort of hack of an escalated user then with even 1 individual as a starting point, they could download the data using various endpoints (there's even an endpoint for the entire individual's genome...) and then get the relatives of that individual (an endpoint for that too) and then recursively do the same for all relatives until every person has been downloaded once.

At this point in time, I am highly suspicious of 23andMe's defense but until the attacker releases proof that they have raw data we can't really prove that they're wrong/lying about the actual magnitude of the attack. But I do believe their claim of using an API makes a lot more sense than the way 23andMe proposed, so I am very worried.

so you're saying they used a genetic algorithm ? sorry, couldn't resist.

23andMe grabs a person by the source code and somehow that isn't considered obscene.

I don't understand privacy nuts.

What exactly is someone going to do with my DNA? Any entity that's a threat to use it for something nefarious is going to get it from me pretty easily. They could grab any number of physical items that I've touched or left my hair on etc.

Should they do a better job of protecting the data? Yes. Am I going to freak out over something that will likely not affect my life in any way? Nope.

I'm not sure how they worded this but it's their shortcoming, not their customers. Customers reuse passwords and will continue to do so. For sensitive PII it's far easier to enforce 2FA or Google SSO than to change customer behaviour.

Regardless, the key quote from the linked article:

"23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called DNA Relatives, which allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, in theory it would allow hackers to scrape data on more than one user by breaking into a single user’s account."

Not all compromised credentials are used in credential stuffing attacks.

I saw this idea somewhere on here a few months ago, and since then, granting users the ability to set their own passwords seems like a dumb thing to do!

Forcing passwords onto users is a sure fire way to get people to write their passwords down and constantly get locked out of their account. In some circumstances that’s not a problem. For local domain access, that’s completely unworkable. For websites it makes a little more sense since users can use password reset via email, but if you’re going to expect people to rely on that then you might as well allow them to set a password and use email as 2FA.

[1] https://haveibeenpwned.com/API/Key

(23andme customer using Apple SSO, have strong opinions on customer IAM, passwords must die)

https://www.troyhunt.com/understanding-have-i-been-pwneds-us...

Yeah I know there's the whole genetic disorder screening thing which might receive more updates in the future, but I think most of their customers probably did this for the novelty of knowing where they came from.

I mean, 23andme has one of the ultimate methods of account recovery available to it. (ignoring that people tend to leave copies of their DNA everywhere, but then you could just mail that in under a John Doe and find out all the same info anyway).

While I get the social media aspects of 23andme, if one can get your DNA, they could submit that to 23andme and find out everything you already knew.

I wonder how they handle duplicate submissions?

Which feature? Unless they didn't ask their user's email (which I'd find surprising), they could have added e-mail based TFA any day without asking their users to do anything.

This is a forum of engineers and builders - if a lot of data were being exfiltrated from your cloud accounts right now, would you know? What would your response plan look like? Maybe this could be a good way for all orgs to review those practices and make sure they have a plan.