@pjm @dplattsf @pjohanneson @thomasfuchs Ya know, one specific person's prior couple of posts have rustled my jimmies.

There are a couple of things to unpack and de-shit here.

1) "you leave your DNA everywhere you go":

Sure, yes. HOWEVER! It's not sequenced and ready to be used by whomever for absolutely any purpose. I have basically zero concern about this being an issue with offshore ransomware syndicates.

I have A LOT OF CONCERN about this being harvested by any of the major databrokers and used to deny people healthcare because of their genome, which those folks never consented to share with the people who make decisions about whether they live or die

2) 23andme said fewer than 1% of users were affected. it turns out, 50% are affected because of sharing settings.

why the fuck is my data subject to exfiltration because of another user? I can't imagine that it was exfiltrated by forging browser or API sessions and requesting the data. it smells a lot like shitty database structure.

I guess unless they release a very detailed IR report we'll never know.

3) blaming users for "doing the bad thing" is an abdication of responsibility as an admin.

there are simple ways to guard against these sorts of attacks. i don't know 23andme's stack or how difficult it would be to implement, but at a very basic level, here's a good start:

-

robust password policy - minimum 8 char password, disallow at least the top 100 from HIBP and/or rockyou, if not the top 1000

require 2fa

disallow anything that looks like probing activity. any accounts that are logged in within 60 mins from the same IP, any IPs that show logins to multiple accounts with incorrect passwords, etc, etc