Genetic information is pretty sensitive. It can reveal a lot about you, and it can be used to target you racially or ethnically. It can reveal health information. And you can’t change it if it gets into the hands of bad actors.
23AndMe’s recent breach was scary and shocking to many of their users. However, to add insult to injury, 23AndMe’s lawyers are blaming their own customers. While I’ve seen a few security professionals support the blame-the-victim approach, I strongly disagree. 23AndMe failed to take some basic security measures, and to consider their users.
23AndMe’s claims and why they don’t add up.
Let’s talk about what 23andMe has said and put it in simple terms. First, they’re claiming
“unauthorized actors manage to access certain user accounts in instances where users recycle their login credentials.”
This means that people re-used passwords on 23andMe that they also used on other sites.
Second, 23andMe says users,
“negligently recycled and failed to update their passwords following the past privacy security incidents, which are unrelated to 23andMe.”
This means that when someone’s re-used password was involved in a data breach, they failed to go update 23andMe’s password.
But let’s look at the numbers.
About 14,000 23andMe users were included in this set of people who had bad passwords or were involved in credential stuffing. However, the data breach has resulted in 1.4 million users leaking their family tree and 5.5 million with other forms of stolen data. To be clear, 14,000 users with bad passwords resulted in five and a half million users (who might have had fine passwords) having their data breached.
How did this happen? It is because of a user-to-user sharing feature that doesn’t seem to be properly designed.
The feature is called “DNA Relatives,” which you can opt into in which you can share your information with close relatives so other close relatives can log in and get information about you. I was unable to find exactly what a close relative means. Is it just first cousins, second cousins, fourth cousins? I did find an example where 23andMe shows that one person has over 1200 relatives. So by opting into this feature, you’re letting the closest 1000+ people who you don’t know, get access to some genetic information about you. Oh, also your name and location.
side note: Some folks out there hear that and think they would never opt-in to share genetic information with so many strangers. However, this feature is really useful for many people. In particular, I’m personally very sympathetic to the adoptees who want to learn more and find their biological family. It’s important here not to blame the users for opting into this feature, but instead focus on how 23andMe could have made it better.
If your company has user-to-user data-sharing, this is what you should do.
User-to-user sharing needs to be designed with privacy in mind. There are four design patterns needed in the interface. They are important for any product that has a user-to-user sharing feature. I’ve seen these patterns many times. When done wrong, they can expose your users and create a privacy breach.
These are classic notice and choice options that you need to give the user:
- The opt-in should not use deceptive patterns. A deceptive pattern is any kind of user interface or nudge that tries to convince users to opt into data sharing when maybe it wouldn’t be their first choice. Don’t fool people into sharing with their friends or family; make sure it is clear.
- Revoke: Can the person turn off the sharing? Can they block people or remove people who had access?
- Limit: Can you limit any of the data that is shared, or do you have to share everything (name, location, etc?)
- Monitor: Can you get a sense of how many people are looking at the data that you’ve shared?
In addition to the user controls, user data needs security protections. 23AndMe is responsible for detecting and monitoring abuse, and these classic measures may have prevented the breach.
- IP anomaly detection. If one person’s account is suddenly logging in from a completely different one day, that rings alarm bells. That’s why sometimes your credit card is declined when you’re traveling. 23andMe should have detected strange IP addresses. They didn’t need to full block all logins, but they could have blocked weird-looking IP addresses user sharing features, or at least put a few hurdles up to getting that data.
- Rate limit user-to-user sharing. For these attacks, the attacker might collect data quickly and repetitively (before the password is changed). The frequency of their request and the speed of their request are going to look a lot different than if it’s just a normal user who’s logging in and clicking through by hand. At 23andMe 14,000 people were making five and a half million requests within probably a few months. That should have been an anomaly, and detected.
These are commonly known methods to help with security, and there are plenty more. I’m not convinced that 23andMe has a lot of excuses for not doing this.
To summarize, if you are someone who is building a user-to-user sharing product, then apply good privacy-respecting interfaces and monitor for fraud and abuse.
Sources: