[HN Gopher] 23andMe scraping incident leaked data on 1.3M users
___________________________________________________________________
23andMe scraping incident leaked data on 1.3M users
Author : doener
Score : 122 points
Date : 2023-10-06 20:08 UTC (2 hours ago)
(HTM) web link (therecord.media)
(TXT) w3m dump (therecord.media)
| hn_throwaway_99 wrote:
| I wonder if companies will seriously start to rethink "transitive
| permissions" or "network permissions". This is very similar to
| what bit Facebook in the ass years ago: I have permissions to see
| all the data of my friends, but in the past I could also click a
| button to let someone who requested see not just my own info, but
| also all the info from my friends.
|
| From a "computer science" perspective this makes sense: if I say
| you can view all my data, I lose control with who else you share
| that data with. But from a "human" perspective, most people don't
| think that if I give you access that I'm essentially giving
| access to the rest of the world.
|
| These types of network permissions make any company who holds
| them a prime target because it means bad guys only need to hack a
| few accounts to get exponentially more data.
| effnorwood wrote:
| [dead]
| RadixDLT wrote:
| anything that has connections to google is going to be a privacy
| nightmare
| dboreham wrote:
| How do you exfil data on 1.3M users by guessing a few passwords?
| worksonmine wrote:
| They're not guessing passwords, they have a list of e-mails and
| passwords from other leaks and are hoping the users are using
| the same credentials on all their accounts. Since password
| managers aren't mainstream yet it works.
| nemacol wrote:
| How do you hide authenticating 1.3+m unique accounts? A
| distributed system? A mess of VPN's? Or they don't hide it
| because the auth system is not checking for 1.3 million auth
| attemps?
| juunpp wrote:
| The latter. Forget tracking auth attempts:
|
| > The researcher added that he discovered another issue
| where someone could enter a 23andme profile ID, like the
| ones included in the leaked data set, into their URL and
| see someone's profile.
| jtriangle wrote:
| Ah, so they were able to use a few accounts, then fuzzed
| the URLS to victory...
|
| Amazingly incompetent.
| gwbas1c wrote:
| I recently had to explain to a tech lead that you can
| "never trust the client," because any dedicated party can
| just curl around your UI and send whatever HTTP request
| they want.
| dylan604 wrote:
| I remember when this first occurred to me from me
| deciding that I didn't want to click download a series of
| things on some website where this was the intended use. I
| wrote a small shell script to curl it for me, and
| somewhere during the process of writing the script, I
| realized the true "power" of this. Ever since then, GET
| with search queries were protected against in everything
| I wrote from that point forward. Luckily, that was in the
| late 90s, so it's been a minute.
| SketchySeaBeast wrote:
| Well, it seems they took advantage of a feature that indicates
| who you may be related to, so they must have guessed Genghis
| Khan's password.
| ganeshkrishnan wrote:
| MONGOLIAN71682@HOTMAIL.com and password "SHADOW_RAIDERZ123"
| that was easy.
| varenc wrote:
| Each valid login+password got the scrapers many many profiles.
|
| 23andMe has a feature that lets you see people you're related
| to and view their profiles. My guess is this feature had few
| rate limits and allowed you to view the profiles of people very
| distantly related. So perhaps with a couple thousand valid
| account logins you could eventually look up the profiles for
| 1.3M users.
| hammock wrote:
| According to this tweet, the hackers likely got ALL of the data
| but only leaked a subset, 1.3 million records (only the ashkenazi
| Jews)
|
| https://x.com/mattjay/status/1710370423311888724?s=20
| ChrisArchitect wrote:
| [dupe]
| ChrisArchitect wrote:
| More discussion over here:
| https://news.ycombinator.com/item?id=37794379
| spullara wrote:
| Maybe they could send me my dad's account password he lost years
| ago and no longer has the email address.
| oger wrote:
| [flagged]
| 23B1 wrote:
| No, but you should feel sorry for all the people who refused to
| entrust 23andMe but whose relatives didn't get the memo.
| They'll be hurt by this too.
| btgeekboy wrote:
| 23andMe is a 17 year old public company with almost $300m in
| revenue. I'd hardly call that a startup.
| ganeshkrishnan wrote:
| I visited the site in the screenshot and saw someone peddling
| NATO leaks from their Philippines visit including "PLANCTON,
| CRONOS, CA SIRIUS, EMADS, MCDS, B1NT etc" And one more list of
| some ukrainian citizens database from 2023.
|
| please don't kill me CIA! I swear I accidentally saw it.
|
| welp! time to head back to my work.
| mottosso wrote:
| That's exactly what a spy would say. Get'em boys!
| mrobins wrote:
| $75k. Tell me the government doesn't take privacy seriously
| without telling me that government doesn't take privacy
| seriously.
|
| > Three weeks ago, genetic testing firm 1Health.io agreed to pay
| the Federal Trade Commission (FTC) a $75,000 fine to resolve
| allegations that it failed to secure sensitive genetic and health
| data, retroactively overhauled its privacy policy without
| notifying and obtaining consent from customers whose data it had
| obtained, and tricked customers about their ability to delete
| their data.
| juunpp wrote:
| I already find the narcissistic "welcome to you" message on the
| package inducing of extensive amounts of vomit. And then they
| only get $75k for this? I want them go DOWN.
| readyplayernull wrote:
| The FTC takes the its_not_about_the_money.jpg meme very
| seriously.
| 1B05H1N wrote:
| Whoopsie daisy.
| Calamitous wrote:
| This is precisely why, though I find it to be a fascinating idea,
| I have steadfastly refused to do one of these genetic tests.
| libraryatnight wrote:
| I remember a Simpsons joke where Homer finds out the government
| has everyone's DNA on file and asks about it and they say "Yep
| everyone who's touched a penny since 1932" or something.
|
| Turns out it didn't need to be that elaborate, you could just
| ask folks to mail it in ;)
| skilled wrote:
| Ongoing discussion,
|
| _Genetics firm 23andMe says user data stolen in credential
| stuffing attack_ (https://news.ycombinator.com/item?id=37794379)
| [deleted]
___________________________________________________________________
(page generated 2023-10-06 23:00 UTC)