Post AcXkVbTylEZ2dDUp96 by dplattsf@sfba.social
 (DIR) More posts by dplattsf@sfba.social
 (DIR) Post #AcWIjnD6xgZfBVckk4 by thomasfuchs@hachyderm.io
       2023-12-06T03:14:55Z
       
       1 likes, 12 repeats
       
       ⚠️ 23andMe just sent out an email trying to trick customers into accepting a TOS change that will prevent you from suing them after they literally lost your genome ro thieves.Do what it says in the email and email legal@23andme.com that you do not agree with the new terms of service.If you have an account with them, do this right now.
       
 (DIR) Post #AcWIjqDvl60oWv1ww4 by thomasfuchs@hachyderm.io
       2023-12-06T03:22:09Z
       
       0 likes, 0 repeats
       
       Needless to say, them wanting to pre-empt a class action suit means that most likely there’s way worse revelations yet to come.
       
 (DIR) Post #AcWUNDApSpLMUuYUzI by ringo@noagendasocial.com
       2023-12-06T05:33:43Z
       
       0 likes, 2 repeats
       
       @thomasfuchs they recently sold all the DNA testing results to GSK....  just an FYI.for developing new drugs..
       
 (DIR) Post #AcWkHaat4cQ0fC5KXw by alexelcu@social.alexn.org
       2023-12-06T08:31:55Z
       
       0 likes, 0 repeats
       
       @thomasfuchs Is this even legal?
       
 (DIR) Post #AcXkVYi34T2I1z3W9w by dplattsf@sfba.social
       2023-12-06T03:33:12Z
       
       0 likes, 0 repeats
       
       @thomasfuchs they were hacked ?  I read that it was customers reusing passwords that were stolen on other sites. (disclosure : worked there eons ago, but they took security incredibly seriously).
       
 (DIR) Post #AcXkVZc3iDq4phGFSi by pjohanneson@mstdn.ca
       2023-12-06T03:43:15Z
       
       0 likes, 0 repeats
       
       @dplattsf @thomasfuchs Boy, were they ever hacked.https://www.ctvnews.ca/business/6-9-million-customers-impacted-by-23andme-hack-company-1.6673969
       
 (DIR) Post #AcXkVaXqFO3liuIOWm by dplattsf@sfba.social
       2023-12-06T03:48:13Z
       
       0 likes, 0 repeats
       
       @thomasfuchs @pjohanneson Maybe fine point none of their security was compromised. 14,000 users with same password and email reused on multiple sites were accessed.  If you use same password in 12 places and one of the sites get compromised , I don’t  consider the  other 11 sites to be “hacked”.  What amplified the damage was people sharing their DNA with others so more genomes were exposed, but again the users all agreed to share.
       
 (DIR) Post #AcXkVbTylEZ2dDUp96 by dplattsf@sfba.social
       2023-12-06T04:03:24Z
       
       0 likes, 0 repeats
       
       @pjohanneson @thomasfuchs and ps you have copies of your DNA lying around everywhere all the time.  I can’t get too outraged.  The quiet TOS update seems line maybe their lawyers giving them bad advice though.
       
 (DIR) Post #AcXkVcHFo1yn62YAwy by dko@infosec.exchange
       2023-12-06T04:33:01Z
       
       0 likes, 0 repeats
       
       @dplattsf @pjohanneson @thomasfuchs credential stuffing is a standard attack. not protecting against it, then lying about how many people were affected, then back-door changing their TOS to disallow compensation, those are reasons they should be pilloried and compensate people affected.
       
 (DIR) Post #AcXkVdCgMVuty9Q2Sm by pjm@infosec.exchange
       2023-12-06T05:08:20Z
       
       0 likes, 0 repeats
       
       @dko @dplattsf @pjohanneson @thomasfuchs yeah the "crime" here is the legal coverup. this is some serious dark pattern stuff here.
       
 (DIR) Post #AcXkVeE8Yaft8x6iMy by dko@infosec.exchange
       2023-12-06T05:46:50Z
       
       0 likes, 1 repeats
       
       @pjm @dplattsf @pjohanneson @thomasfuchs Ya know, one specific person's prior couple of posts have rustled my jimmies. There are a couple of things to unpack and de-shit here. 1) "you leave your DNA everywhere you go":Sure, yes. HOWEVER! It's not sequenced and ready to be used by whomever for absolutely any purpose. I have basically zero concern about this being an issue with offshore ransomware syndicates. I have A LOT OF CONCERN about this being harvested by any of the major databrokers and used to deny people healthcare because of their genome, which those folks never consented to share with the people who make decisions about whether they live or die2) 23andme said fewer than 1% of users were affected. it turns out, 50% are affected because of sharing settings. why the fuck is my data subject to exfiltration because of another user? I can't imagine that it was exfiltrated by forging browser or API sessions and requesting the data. it smells a lot like shitty database structure. I guess unless they release a very detailed IR report we'll never know. 3) blaming users for "doing the bad thing" is an abdication of responsibility as an admin. there are simple ways to guard against these sorts of attacks. i don't know 23andme's stack or how difficult it would be to implement, but at a very basic level, here's a good start:robust password policy - minimum 8 char password, disallow at least the top 100 from HIBP and/or rockyou, if not the top 1000require 2fadisallow anything that looks like probing activity. any accounts that are logged in within 60 mins from the same IP, any IPs that show logins to multiple accounts with incorrect passwords, etc, etc
       
 (DIR) Post #AcYdeuXYljKtp6ccmu by shrikant@noc.social
       2023-12-07T06:27:10Z
       
       0 likes, 0 repeats
       
       @thomasfuchs What a scummy move!There needs to be a way for users to communicate equally egregious shrink-wrap agreements back to these providers.Give 'em a taste of their own medicine...