It’s possible that this is the first time you’ve seen a link to 23andMe (although we told you about them a few years ago, after a study on sleep habits), although it is true that it has gained importance recently. though certainly not for the reasons they (and of course their clients) would like. If so, you should know that it is a biotech and genomics company that offers genetic testing as its core service to end users, people like you and me who may be curious to know at any given moment. What information can your DNA give you?

In this type of study, the client receives a kit to collect a DNA sample, usually saliva using a swab, which must then be sent to a laboratory where the appropriate analyzes will be performed and cross-referenced with the information once completed. available to the company. As a result, the user receives a complete message which generally includes everything from their susceptibility to certain diseases to the geographic origins of their ancestors.

In general, users can consult their reports on the Internet, although of course they have to use their login credentials to the website of the company that offered them the service, such as 23andMe. And we are talking about very personal data, and in some cases they have a particularly high level of protection. That’s why the massive data breach that the company confirmed in December (although it was known about months before, as the exfiltrated data was already circulating on the dark web), resulted in a flurry of lawsuits against 23andMe from affected users.

A situation like this is no doubt complicated because the companies concerned are exposed to a huge image crisis. However, dropping the ball and targeting the victims even more is an example of how not to do things, and unfortunately that’s what happened in this case. So as we can read in TechCruch, 23andMe has accused some of its users of being responsible for a massive data breach.

Gattaca showed us a dystopian future in which information extracted from our DNA determined the course of our lives. Andrew Niccol had no idea what would happen if a database with this type of information was leaked and ended up in the wrong hands.

In a letter sent to those affected by 23andMe, which was accessed by this media outlet, the company says that the basis of the attack occurred due to the low security of passwords used by some of its users (around 14,000), during which the attackers managed to gain access. From there, the same attackers took advantage of an optional feature of the service called DNA Relatives, which allows customers to share some of their data with people who are somehow related to them based on their DNA studies. By taking down this thread and the 14,000 accounts originally compromised Attackers were able to obtain data from 6.9 million 23andMe users.

Granted, yes, the company has a right to fight back (and will certainly have to as the lawsuits pile up), and it also seems indisputable that the use of insecure passwords by some customers played a key role in this stroke. But precisely because of this, and because of the seriousness to which certain types of data can be exposed, I find it incredible that 23andMe didn’t take this type of risk into account and consequently was not provided with the necessary means to prevent exfiltration such as this.

There are users who use insecure passwords, there are users who recycle passwords and do not modify them even after they know they have been leaked. This is not new or surprising, it has been known for years and many technology companies are actively working to implement more secure systems. However, despite the compromise of the information it managed, 23andMe did not see the need to implement additional security measures (such as requiring 2A verification on all accounts with DNA relatives), and now blames customers for their shameful security practices. Shame upon shame.