Can You Trust Anything On-line, If We Can Even Protect DNA Records?

Can You Trust Anything On-line, If We Can Even Protect DNA Records?

Same old story: Terrible Security, Don’t resuse passwords, and enable MFA

So, what’s the most sensitive information that could be breached? Well, one of the most sensitive is your DNA. But now, 23andMe has been hacked:

The hacker — named Golem — has now leaked four million records on the cybercrime forum BreachForums. This seems to focus on UK citizens but also those from the US and Western Europe. It follows a previous release of data on 11 August on the Hydra cybercrime forum, and where it was claimed that they had over 300 TB of 23andMe data.

The method of compromise seems to by credential stuffing, and where an intruder uses a password that has already been breached by another hack.

With this, all users on 23andMe should change the passwords, and enable two-factor authentication. Overall, the company seems to have managed the breach poorly and is pin-pointing users not changing their passwords across different accounts and in not enabling MFA (Multi-factor Authentication). They also pinpointed the DNA Relatives feature as being a point of compromise and where an intruder could reveal the details of other connected accounts — by just breaking one account.

Conclusions

Overall, 23andMe can’t just blame users for reusing passwords or for not enabling MFA. Surely, they have detection engines which should detect a hacking event? But, in general, don’t reuse passwords and also enable MFA. But, where was the encryption, and the access controls?