Hacker claimed 20 million. 23andMe said it was only 14,000—but now admits to 6.9 million.

October’s hack of 23andMe was far bigger than the firm first said: Two months ago, the $500M market cap genetics corporation (NASDAQ:ME) implied this was a mere storm in a teacup, caused by a few careless users. Then, last week, it reported “only” 14,000 user records lost. Now it’s been forced to ’fess up to almost half its user base.

Yes, it’s time again to macro, “It’s even worse.” In today’s SB Blogwatch, we redux like we’ve never reduxed before.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mashup 2023.

Not Nice

What’s the craic? Lorenzo Franceschi-Bicchierai reports—“23andMe confirms hackers stole ancestry data”:

“23andMe did not share these numbers”
On Friday … 23andMe announced that hackers accessed the personal data of … about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access … “information about other users’ ancestry.” … As it turns out, there were a lot of “other users”: … 6.9 million.
…
23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. [She] also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year [and] self-reported location.
…
Because of the way that the DNA Relatives feature matches users with their relatives … the hackers were able to see the personal data of both the account holder as well as their relatives. [It’s] not known why 23andMe did not share these numbers … on Friday.

Yikes! Duncan Riley drives the point home—“23andMe SEC filing unveils extent of October data breach”:

“Where it gets interesting”
In an amendment filing with the U.S. Securities and Exchange Commission on Friday, 23andMe said that after becoming aware of a threat actor … claiming to have 23andMe user profile information on Oct. 1, it immediately commenced an investigation. [It] eventually determined that a threat actor accessed the accounts of … about 14,000 user[s], through a credential-stuffing attack.
…
But what the hackers did with that access is where it gets interesting. … DNA Relative profiles include self-reported information such as display names and locations and shared DNA percentages … , family names, predicted relationships and ancestry reports. Family Tree profiles contain display names, relationship labels and other information.

And you could be an indirect victim. lithven is a victim nonetheless:

The really unfortunate part is for people like me who have immediate family members who use these sort of services. In this kind of breach I am a victim even though I’ve never used the site simply through genetic association.

What can we learn? skummetmaelk is in I-told-you-so agreement:

Your relatives sharing their genomic data with 23andMe reveals a lot of information about you. … This disaster is the perfect counter-argument to those always saying, “Why do you care so much about privacy? It doesn’t affect you when I share things. You can just choose not to do it.” Except, no—I can’t choose when we’re relatives.
…
23andMe … could have done the analysis and sent you a printed sheet. But no, they had to store everything to be able to double dip by selling the data to pharma companies and whoever else would pay for it. If you can’t turn a profit without underhandedly selling your users’ data, you deserve to fail.

Selling it? Who’s gonna buy it now? MIPSPro pictures the scene:

Now watch the hackers “accidentally” … release the data and it gets sucked up by every insurer in the country and used to check folks out beforehand. … The insurers will say “Well, it’s public domain information now, we simply used it.”

Recourse to the law? Captain Dunsel suggests the obvious:

We should sue these companies out of business and start over after a host of better laws are in place. It might not be too late to mitigate the harm.

Good luck with that. taurath calls shenanigans:

Their TOS update … went out on Thanksgiving Day (the most perfect time to get lost in everyone’s inboxes). [It] somehow tries to forbid class actions, requires you to go through an “informal” 60 day process before any legal action, and forces you into binding arbitration. … You as a customer have next to no legal rights, according to 23andMe lawyers who cooked this up.

It’s a question of trust. chx496 runs the numbers:

Just to add some perspective: … 14,000 is 0.1% [and] 6.9 million is slightly less than 50% of all customers. They’ve also shown no real transparency in this entire ordeal, so who knows if these latest numbers are even accurate. … The way 23andMe has tried to obfuscate the entire thing tells me that they’re definitely not a company I’d ever want to be a customer of.
…
I’ve yet to see a proper post-mortem of the entire incident. … Either their internal practices were so bad that if they did a proper post-mortem they might as well close up shop, or their company culture is so horrible that you don’t want to have anything to do with them.

Meanwhile, Readercathead is one of many to make this credential-rotation gag:

Time to change your DNA!

And Finally:

Best of 2023

NSFW-ish: A few swears

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: thavis.com (via Unsplash; leveled and cropped)