So, what about healthcare? Back to paper records? Because it's not acceptable to me that everyone in the world will eventually see my private medical records.
You should also assume your MegaCorp, if you work for one, has also already seen them (in many cases they can buy them from various data brokers or even off the grey market).
I'm not saying this is the way things should be, just things as I know them to be.
The credential stuffing angle here is worth highlighting - the breach happened because users reused passwords from other breached sites.
What's frustrating is that even security-conscious users face a massive burden after any breach: changing passwords across dozens or hundreds of accounts. Research shows the average remediation gap after breach disclosure is 94 days - most people simply don't do it because it's too tedious.
We've solved password generation and storage. What's still broken is the actual process of updating passwords at scale when you need to respond to a breach like this one.
It's not clear to me that I should care if my data was in the breach. For my data to have been in the breach the following must have happened.
1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).
2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.
3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.
When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.
Yeah, I agree this is pretty overblown. On GEDmatch, you basically give everyone the information in your SNP reads - you can compare arbitrary people there, not just yourself to "close" relatives. The only condition is that you give others the same access as you want for yourself. It's very useful for genetic genealogy.
Technically, you could probably get access to and scrape all that data by uploading fake data, or someone else's. It will do very little useful unless you're into genealogy.
There was no SQL injection. The attack was basically the same as if someone stole the password to a friend's Facebook account, and proceeded to scrape the posts everyone else had made visible to that friend.
Some would say SNP data is more valuable than your posting history. I'm not so sure, since after all 23andMe went bankrupt trying to monetize their data and reddit didn't. It seems possible to me that a post where you say you do X is more useful to advertisers and political propagandists/spies, than a SNP which suggests you're 20% more likely to do X.
I am reading more on the vector of attack used on 23andme and it seems they used credentials from other data breaches. This never would have happend with MFA, even SMS confirmation would've been enough.
It's insane that a company that literally stores DNA data didn't have the most basic defenses against data breaches that would take an intern 15 minutes to read about.
I may actually try my hand in conciliation court against them on this one. I received a test kits back around 2015 from a family member, but was disgusted at the idea that there was no possible way they 1) wouldn't go under and sell my data 2) be breached. I feel like these sort of outcomes for these types of services are very obvious as highly likely to anyone who works in proximity to tech, and especially startups.
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.
Readit News
If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.
You should also assume your MegaCorp, if you work for one, has also already seen them (in many cases they can buy them from various data brokers or even off the grey market).
I'm not saying this is the way things should be, just things as I know them to be.
What's frustrating is that even security-conscious users face a massive burden after any breach: changing passwords across dozens or hundreds of accounts. Research shows the average remediation gap after breach disclosure is 94 days - most people simply don't do it because it's too tedious.
We've solved password generation and storage. What's still broken is the actual process of updating passwords at scale when you need to respond to a breach like this one.
1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).
2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.
3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.
When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.
Technically, you could probably get access to and scrape all that data by uploading fake data, or someone else's. It will do very little useful unless you're into genealogy.
Some would say SNP data is more valuable than your posting history. I'm not so sure, since after all 23andMe went bankrupt trying to monetize their data and reddit didn't. It seems possible to me that a post where you say you do X is more useful to advertisers and political propagandists/spies, than a SNP which suggests you're 20% more likely to do X.
It's insane that a company that literally stores DNA data didn't have the most basic defenses against data breaches that would take an intern 15 minutes to read about.
DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)
23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)
Can people sue Oprah?
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.