23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months | Firm says it didn’t realize customers were being hacked::Firm says it didn’t realize customers were being hacked

  • jonne@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    If they had access to their internal network, they could’ve exfiltrated it by a ton of different ways.

    • Morphit @feddit.uk
      link
      fedilink
      English
      arrow-up
      4
      ·
      11 months ago

      They wouldn’t need to access 14,000 separate accounts if they had internal access to the database.

      The article states they got access to “private data” from 6.9 million other users via a ‘DNA relatives’ feature but doesn’t explain what kind of information that is. For those accounts that got directly accessed, it seems unlikely the hackers requested and intercepted an email for every one without being noticed sooner. Sounds like they only scraped what’s available on the site itself but it’d be nice if the article actually detailed that.

      • jonne@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        11 months ago

        Ah ok, didn’t know we knew those details. I guess they found an API endpoint that allowed them to do this that isn’t exposed through the website.

        • huginn@feddit.it
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          11 months ago

          The official RCA is credential stuffing.

          Reused passwords are a bitch.

          The main surprise is that you were able to get to genomic data with just a password. I thought it was only ever sent over email to the account email.

          Maybe the attack involved changing email as well?