At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it’s working to verify the data.

  • saigot@lemmy.ca
    link
    fedilink
    arrow-up
    41
    arrow-down
    2
    ·
    1 year ago

    The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives.

    The information does not appear to include actual, raw genetic data.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      42
      arrow-down
      5
      ·
      1 year ago

      This doesn’t absolve them of anything. If you see thousands of accounts being individually logged in from the same block of IP addresses, and those users have never logged in from there before. That should raise red flags. No, Fred from California shouldn’t be logging in from a vpn based out of Ireland right after Anne from NY logged in from that same VPN from Ireland.

      Users are dumb. This is why there’s tools to track odd behavior and clamp down on it.

      • skippedtoc@lemmy.world
        link
        fedilink
        arrow-up
        13
        arrow-down
        5
        ·
        edit-2
        1 year ago

        “This doesn’t absolve them of anything”

        Of course it does. “Security” based on behaviour tracking is not the expected default like you are making it to be. (neither should it be.)

        • wildginger
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          Thats how my bank tracks my money, and while it might be mildly annoying to make a quick call to reactivate my card if I triggered a red flag, it is absolutely a well appreciated and useful safety feature that I am glad my bank employs.

          Why would I not expect the same level of security for a piece of my medical data? Thats just as important as my money.

          • skippedtoc@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            1 year ago

            Why would I not expect the same level of security for a piece of my medical data?

            Because it’s not a bank.

            Thats just as important as my money.

            Unless you are super rich and have a lot of throwaway money, it’s a false over exaggeration.

            • wildginger
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              1 year ago

              You understand that same level of security is used by hospitals, yes? Do you think hospitals are banks?

              Ah, an over exaggeration. Ill tell that to all the jews whose data got targeted and stolen. Im sure it was harmless.

              • skippedtoc@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                1 year ago

                You understand that same level of security is used by hospitals, yes?

                No, not all hospitals at least.

                Ill tell that to all the jews whose data got targeted and stolen.

                Sure, go ahead. You have my permission.

                Im sure it was harmless.

                I don’t know why you are sure of it. It could cause harm even if you can’t think of what harm it will cause.

                Your brain works differently from mine. Your idea of protecting your data is to give away and even force them to collect more data on you. Mine to make them collect less data.

                • wildginger
                  link
                  fedilink
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  1 year ago

                  Your brain short circuits at sarcasm, so Im not really expecting much from it.

                  If you are already giving valued medical data to someone, the simple act of checking the ip of login and sending a “was this you?” email isnt even remotely the level of data loss you want to pretend it is.

                  Its common sense to protect your user, and your database, from phishing. If you want to genuinely claim that phishing protections for medical data is bad, by all means. You already sound like a fool, may as well set the stone.

                  • skippedtoc@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    1 year ago

                    Personal insults are always great arguments. Please continue at your leisure. Since I am not good at it I will stop here.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          1 year ago

          I’m sorry, but what behavior tracking would be enabled here to detect that thousands of accounts are logging in from the same ASN that the accounts don’t identify as being in?

          They have your address… They sent you the spit tube kit. and it’s probably in your profile that you willingly give them. What “tracking” is it when “hey this IP belongs to a location that’s 10000 miles away from their profile! Let’s send an email and double check!”.

          • skippedtoc@lemmy.world
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            hey this IP belongs to a location that’s 10000 miles away from their profile!

            This means you are tracking the information that I have moved or am currently am at 10000 miles whatever place. You have no business knowing where I move to. It is kind of tracking as you are collecting more info than you need to in the name of “Security”.

            If I think my data on a website is important enough I will make the password there random and complex enough not to be guessed or brute forced. I don’t need your extra tracking.

            They can increase security by matching address. Sure. The can also increase security by checking everything on your pc and house to figure out if you are you. I don’t need it.

            Let’s send an email and double check!.

            That’s a different point. They should always provide an option for 2nd or extra authentication for people who want it. But it doesn’t need any other info than that I want 2fa.

            More i

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              2
              ·
              1 year ago

              This means you are tracking the information that I have moved or am currently am at 10000 miles whatever place.

              An ip lookup isn’t tracking jack shit. You are demonstrating that you don’t understand how technology works.

              You furnished your address to the service (by function of how the service works), you accessed the site which exposes your IP. An IP lookup it’s tracking. If you truly believe it is… Hoo boy you should spin up an apache server and look at the logs.

              • skippedtoc@lemmy.world
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                1 year ago

                An ip lookup isn’t tracking jack shit.

                Sigh! now you are arguing on definition of tracking. Which is pointless as you can replace that word with whatever you are comfortable with.

                You are demonstrating that you don’t understand how technology works.

                Perhaps. But the since concept of ip hasn’t changed much since the internet became public it’s doubtful that don’t understand ip.

                you accessed the site which exposes your IP.

                Yes. Doesn’t mean you have to save my ip address that I used. Or even the general location I used it from even if it will increase security.

                apache server and look at the logs.

                Shrug. What does that means? You can control the info logged in server and also if you choose to keep it or classify it.

                • bane_killgrind@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Doesn’t mean you have to save my ip address that I used.

                  The most basic webserver keeps access logs. It will save “this person logged in at this address” or some data about the session regardless if it’s looked back on later.

                • Saik0@lemmy.saik0.com
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  2
                  ·
                  edit-2
                  1 year ago

                  Yes. Doesn’t mean you have to save my ip address that I used.

                  Who the fuck said anything about saving an IP?

                  Or even the general location I used it from even if it will increase security.

                  IP lookups are not “saving your location”.

                  Shrug. What does that means? You can control the info logged in server and also if you choose to keep it or classify it.

                  No… Not at all. If you reach out to my server, my server has to know where to send the data back to. Part of this process can be an IP lookup that actually identifies where your ASN is based out of. There is no way around this… the request MUST have IP information. Nobody said shit about logging anything. And logging IPs is not required to do anything that I’ve mentioned.

                  Sigh! now you are arguing on definition of tracking.

                  No… I’m arguing pedantic shit. I’m telling you what actually happens and what the actual definition is.

                  Edit: To the point. I actually do IP lookups to BLOCK specific countries in my router. Using a database like maxmind you can get a general idea of location without knowing anything specific at all. So it goes 1 step further to run a check on if your current ASN is even remotely close to your known location. If not, fire off email. nothing about this requires any logging or outside information than what you already gave the company in this case. Other fields use these mechanisms that are well regulated and nobody else except for you calls this “tracking”.

                  • skippedtoc@lemmy.world
                    link
                    fedilink
                    arrow-up
                    2
                    arrow-down
                    2
                    ·
                    1 year ago

                    If you reach out to my server, my server has to know where to send the data back to.

                    The “where” in above quote is my ip. That’s all nothing else.

                    Nobody said shit about logging anything.

                    ?? Let’s pretend that’s true. Ignoring the previous comment.

                    Why not. Wouldn’t your so called “security” will increase if they log things so they are more sure of your identify.