The wheels have come wildly off the bus with the latest details of the hack.
This isn’t the first time at-home genetic testing company 23andMe has been in the news for a hack, but the recent breach — whose details were finally disclosed last week after going unnoticed for five months — appears to be its corporate coup de grâce. As reported by the Wall Street Journal this week, 23andMe’s stock is in the toilet after a 98%-value crash that (at the time of writing) left it at $0.68 a share, with NASDAQ still threatening to delist the company as it now faces four class action lawsuits.
Here are the details of the hack. As best I can understand, some people use the same password and email addresses on other sites that have been compromised, and someone used that data to access their accounts at this site, and also see people sharing indirectly.
Eh, not that I’m pro tech billionaire, but you can see even here on the Dope how people react to “reasonable security.” We have threads here complaining about MFA, password managers, Oauth, etc.
Except when the sloppy security belongs to one of the self-appointed gatekeepers of consumer credit (looking at you, Experian). Then we’re all just SOL.
My parents signed up for 23andme and the urging of a cousin probably 6 or 7 years ago. After my dad died, I took over the account and changed it from his oft-repeated password to a secure passphrase in my password vault.
Both my parents are both 100% Ashkenazi, so they probably had their data scraped in multiple ways anyway.
@Maserschmidt posted a link to the BleepingComputer article. The hackers entered via a compromised user and then leveraged the DNA Relatives feature to get 100x the data.
Bumping this because I think it’s the best titled thread for this article, which suggests 23andMe may go out of business in the next year. The concern is with all the DNA data they have collected, which is not protected under HIPAA regulations - what happens to it?
I have not been and currently not interested in the DNA testing service they provided, but I know people who have participated. Murphy’s Law in action here.
Since the only thing of value the company has is the DNA database and the complete lack of legal protection for that data, that will be sold off to the sleaziest companies around and the rest of the company will disappear. And quite soon is my guess.
Various types of insurance companies would love this data. But Elon and Zuck might think they should grab it.
And it’s such useful and error-free data. A relative did a23andMe test and it said they didn’t have any gene for balding. They were losing hair rapidly at 20.
Anyone who knows about these cheap DNA tests and their methods would consider it garbage. (E.g. full siblings with vastly different heritage results.) But that’s not how the suits think.
I didn’t know that HIPAA doesn’t apply here and I’m sure I’m not the only one. That NPR article quotes a law professor, “HIPAA does not protect data that’s held by direct-to-consumer companies like 23andMe.”