33 comments
@pjohanneson @thomasfuchs and ps you have copies of your DNA lying around everywhere all the time. I can’t get too outraged. The quiet TOS update seems line maybe their lawyers giving them bad advice though. @dplattsf @pjohanneson @thomasfuchs credential stuffing is a standard attack. not protecting against it, then lying about how many people were affected, then back-door changing their TOS to disallow compensation, those are reasons they should be pilloried and compensate people affected. @dko @dplattsf @pjohanneson @thomasfuchs yeah the "crime" here is the legal coverup. this is some serious dark pattern stuff here. @dko @pjm @dplattsf @pjohanneson @thomasfuchs The healthcare point is interesting. I would like to think that any healthcare organisation using unverified, stolen data to make decisions about a client would themselves be subject to massive class actions... @pa27 @dko @pjm @dplattsf @pjohanneson @thomasfuchs Seems VERY easy to do parallel construction with this stuff- once you have the conclusion in hand from the illegally-gathered evidence, it's not hard to create an in-the-clear paper trail with legal evidence leading to that same conclusion and pretend the 'dark' evidence never happened. @pjohanneson @dko @thomasfuchs have you been to haveibeenpwned lately? The only thing that distinguishes this from a typical day on the internet is that it has the word dna in it and they didn’t even get hacked. Going to save up my outrage .. @dko @thomasfuchs @pjohanneson same reason your bank is still using sms for 2fa. people get upset if you force them to do it the right way. and they get outraged if you don’t. This would be the perfect setup for #GWAS on #password and #2fa hygiene @dplattsf @thomasfuchs @pjohanneson again, who are you arguing for here? companies with shitty policies? companies that leak DNA data? why are you just naming bad practices as if they justify more bad practices? "bad things have happened and unconcerned people are responsible" is not a defense for bad engineering that endangers your users. @dko @thomasfuchs @pjohanneson just trying to understand the outrage and indignation here - again they’re well within the norm for orgs and they also didn’t get any of their systems breached so saying they were hacked is misinformation. They have normal users doing normal bad things. but it’s dna so .. .. .. must be so much worse ? People need recalibration. @dko @dplattsf @thomasfuchs @pjohanneson I work in this field. It was a credential stuffing attack. Google that. There wasn't much they could have done about it. However, Everything they've done after the fact has revealed them to be the shitty corporation that most corporations eventually reveal themselves to be. It's a breach, but not like a breach where there were default creds exposed on the internet (equifax) or some idiot (LastPass). @BigMcLargeHuge @dko @dplattsf @thomasfuchs @pjohanneson You work in what field? There absolutely are many very effective ways to make sure your idiot users do not choose bad passwords. You could for example make them accept an autogenerated one, enforce some sort of second check - perhaps you are familiar with when you get a pin sent to you on your phone? We can already tell their users are people who do not care about their own or their families privacy and so probably warrant extra checks. @dplattsf @dko @thomasfuchs @pjohanneson the bank is using 2fa though, and given the sensitivity of the data, I would think even doing shitty 2fa would have helped. @dko @dplattsf @pjohanneson @thomasfuchs If they cared about their users data, they would have implemented MFA to minimise 'weakest link' vector. @dko @dplattsf @pjohanneson @thomasfuchs even the basic email challenge 2fa they use now protects users plenty more than they were before @dplattsf @pjohanneson @thomasfuchs You don't have sequenced DNA lying around all the time. And MFA is a pretty standard guard against credential stuffing that it's a pretty terrifying idea that instead of attempting to use that... they're trying to TOS their way out of liability. @dplattsf @pjohanneson @thomasfuchs Also, while 14K accounts were accessed by credential stuffing...that led to them leaking 5.5 million users information via linked data. Which meant for every credential stuffed, they made a system that allowed that user to steal ~392 users information. @AT1ST @thomasfuchs @pjohanneson users share pretty widely and that doesn’t feel like something sinister they dod People enjoy interacting and learning about relatedness. Feels healthy to me. @AT1ST @dplattsf @pjohanneson @thomasfuchs It’s overblown. On the site I can see lots of DNA relatives and a very tiny bit about them, for those relatives who opted in to letting strangers like me see them appear in that list. If one of my unknown relatives reused passwords, then someone who I don’t know could use the credentials of the relative I don’t know to see a little bit about me. Don’t reuse passwords. @hunterhacker @dplattsf @pjohanneson @thomasfuchs Here's the thing - the information a relative can learn about another relative, to a stranger, is pretty powerful stuff. Could I, hypothetically, learn your mother's maiden name by logging is as one of your DNA relatives, or a stranger's account that was credential stuffed and could see that relative? @hunterhacker @dplattsf @pjohanneson @thomasfuchs (Because I'll note, while I'm pretty sure this is no longer a valid security question in most contexts, that would be information enough to go from "I know this unrelated person's password and username" to "I don't need to know this other person's password, because I know their username, and I can try to reset it instead of breaking it.". Or they can do that with your birthday, etc.) @hunterhacker @dplattsf @pjohanneson @thomasfuchs Which is a long way of saying; TL:DR; don't over share your information with strangers, and enable MFA already on anything you can't afford to lose. @AT1ST @dplattsf @pjohanneson @thomasfuchs Good points. The fact a mother’s maiden name is considered a security secret is crazy. Birthdays too. (But to be safe, I get my Facebook birthday greetings on the wrong day. Everyone should have a real birthday and a social media public birthday.) 🎂 @hunterhacker @dplattsf @pjohanneson @thomasfuchs I mean, part of what likely made one's mother's maiden name a go-to security question is that historically, at least among British/American/Canadian/German culture that I'm aware of, it's effectively destructing information; like DRM, it became harder and harder to find documentation on what it was, especially if you weren't part of the family in question...which still has the name. What's made it less secure is making it more easily traceable - @hunterhacker @dplattsf @pjohanneson @thomasfuchs - not that that's a bad thing, it just...removes the "Something only you or people who have authorization to use your bank account information would likely know." property. @hunterhacker @dplattsf @pjohanneson @thomasfuchs (Though that reminds me of how SINs are social insurance numbers...used to identify you. It wasn't intended to be used that way, but...people did, because it effectively had that same property. "Who else but yourself and people who are authorized to act on your behalf are going to actually memorize that string of numbers?", effectively.) @hunterhacker @dplattsf @pjohanneson @thomasfuchs (On that note, I once put a joke answer as an answer to a security question...and then regretted it when I needed to return the joke answer to the question to the one party that I needed to give it to, because I instead kept giving them the non-joke answer...before realizing "Oh right; you're the people I gave an incorrect answer to that question,my bad, it's this other thing because of this other thing.". I may have repeated that since then.) @dplattsf @thomasfuchs @pjohanneson The company hid the extent of the breach. Th ere was also some early implication it was some kind of anti-semitic attack, a rumor which flourished because of the small apparent size of the attack. @dplattsf @thomasfuchs @pjohanneson It wasn't DNA that was shared, it was "DNA relatives”, higher-level relatedness and genetic background, like “28.8% Western European”, etc. |
@thomasfuchs @pjohanneson Maybe fine point none of their security was compromised. 14,000 users with same password and email reused on multiple sites were accessed. If you use same password in 12 places and one of the sites get compromised , I don’t consider the other 11 sites to be “hacked”. What amplified the damage was people sharing their DNA with others so more genomes were exposed, but again the users all agreed to share.