[HN Gopher] 23andMe scraping incident leaked data on 1.3M users ___________________________________________________________________ 23andMe scraping incident leaked data on 1.3M users Author : doener Score : 122 points Date : 2023-10-06 20:08 UTC (2 hours ago) (HTM) web link (therecord.media) (TXT) w3m dump (therecord.media) | hn_throwaway_99 wrote: | I wonder if companies will seriously start to rethink "transitive | permissions" or "network permissions". This is very similar to | what bit Facebook in the ass years ago: I have permissions to see | all the data of my friends, but in the past I could also click a | button to let someone who requested see not just my own info, but | also all the info from my friends. | | From a "computer science" perspective this makes sense: if I say | you can view all my data, I lose control with who else you share | that data with. But from a "human" perspective, most people don't | think that if I give you access that I'm essentially giving | access to the rest of the world. | | These types of network permissions make any company who holds | them a prime target because it means bad guys only need to hack a | few accounts to get exponentially more data. | effnorwood wrote: | [dead] | RadixDLT wrote: | anything that has connections to google is going to be a privacy | nightmare | dboreham wrote: | How do you exfil data on 1.3M users by guessing a few passwords? | worksonmine wrote: | They're not guessing passwords, they have a list of e-mails and | passwords from other leaks and are hoping the users are using | the same credentials on all their accounts. Since password | managers aren't mainstream yet it works. | nemacol wrote: | How do you hide authenticating 1.3+m unique accounts? A | distributed system? A mess of VPN's? Or they don't hide it | because the auth system is not checking for 1.3 million auth | attemps? | juunpp wrote: | The latter. Forget tracking auth attempts: | | > The researcher added that he discovered another issue | where someone could enter a 23andme profile ID, like the | ones included in the leaked data set, into their URL and | see someone's profile. | jtriangle wrote: | Ah, so they were able to use a few accounts, then fuzzed | the URLS to victory... | | Amazingly incompetent. | gwbas1c wrote: | I recently had to explain to a tech lead that you can | "never trust the client," because any dedicated party can | just curl around your UI and send whatever HTTP request | they want. | dylan604 wrote: | I remember when this first occurred to me from me | deciding that I didn't want to click download a series of | things on some website where this was the intended use. I | wrote a small shell script to curl it for me, and | somewhere during the process of writing the script, I | realized the true "power" of this. Ever since then, GET | with search queries were protected against in everything | I wrote from that point forward. Luckily, that was in the | late 90s, so it's been a minute. | SketchySeaBeast wrote: | Well, it seems they took advantage of a feature that indicates | who you may be related to, so they must have guessed Genghis | Khan's password. | ganeshkrishnan wrote: | MONGOLIAN71682@HOTMAIL.com and password "SHADOW_RAIDERZ123" | that was easy. | varenc wrote: | Each valid login+password got the scrapers many many profiles. | | 23andMe has a feature that lets you see people you're related | to and view their profiles. My guess is this feature had few | rate limits and allowed you to view the profiles of people very | distantly related. So perhaps with a couple thousand valid | account logins you could eventually look up the profiles for | 1.3M users. | hammock wrote: | According to this tweet, the hackers likely got ALL of the data | but only leaked a subset, 1.3 million records (only the ashkenazi | Jews) | | https://x.com/mattjay/status/1710370423311888724?s=20 | ChrisArchitect wrote: | [dupe] | ChrisArchitect wrote: | More discussion over here: | https://news.ycombinator.com/item?id=37794379 | spullara wrote: | Maybe they could send me my dad's account password he lost years | ago and no longer has the email address. | oger wrote: | [flagged] | 23B1 wrote: | No, but you should feel sorry for all the people who refused to | entrust 23andMe but whose relatives didn't get the memo. | They'll be hurt by this too. | btgeekboy wrote: | 23andMe is a 17 year old public company with almost $300m in | revenue. I'd hardly call that a startup. | ganeshkrishnan wrote: | I visited the site in the screenshot and saw someone peddling | NATO leaks from their Philippines visit including "PLANCTON, | CRONOS, CA SIRIUS, EMADS, MCDS, B1NT etc" And one more list of | some ukrainian citizens database from 2023. | | please don't kill me CIA! I swear I accidentally saw it. | | welp! time to head back to my work. | mottosso wrote: | That's exactly what a spy would say. Get'em boys! | mrobins wrote: | $75k. Tell me the government doesn't take privacy seriously | without telling me that government doesn't take privacy | seriously. | | > Three weeks ago, genetic testing firm 1Health.io agreed to pay | the Federal Trade Commission (FTC) a $75,000 fine to resolve | allegations that it failed to secure sensitive genetic and health | data, retroactively overhauled its privacy policy without | notifying and obtaining consent from customers whose data it had | obtained, and tricked customers about their ability to delete | their data. | juunpp wrote: | I already find the narcissistic "welcome to you" message on the | package inducing of extensive amounts of vomit. And then they | only get $75k for this? I want them go DOWN. | readyplayernull wrote: | The FTC takes the its_not_about_the_money.jpg meme very | seriously. | 1B05H1N wrote: | Whoopsie daisy. | Calamitous wrote: | This is precisely why, though I find it to be a fascinating idea, | I have steadfastly refused to do one of these genetic tests. | libraryatnight wrote: | I remember a Simpsons joke where Homer finds out the government | has everyone's DNA on file and asks about it and they say "Yep | everyone who's touched a penny since 1932" or something. | | Turns out it didn't need to be that elaborate, you could just | ask folks to mail it in ;) | skilled wrote: | Ongoing discussion, | | _Genetics firm 23andMe says user data stolen in credential | stuffing attack_ (https://news.ycombinator.com/item?id=37794379) | [deleted] ___________________________________________________________________ (page generated 2023-10-06 23:00 UTC)