{"id":230,"date":"2024-08-07T11:51:00","date_gmt":"2024-08-07T11:51:00","guid":{"rendered":"https:\/\/absolutelynothing.io\/?p=230"},"modified":"2024-08-21T12:16:01","modified_gmt":"2024-08-21T12:16:01","slug":"i-just-took-a-dna-test-turns-outmy-data-was-leaked","status":"publish","type":"post","link":"https:\/\/absolutelynothing.io\/?p=230","title":{"rendered":"I Just Took a DNA test, Turns Out\u2026My Data was Leaked"},"content":{"rendered":"\n

Diane here, COO and the least technical member of our group! I\u2019ll occasionally take control of our blog to give y\u2019all a break from hearing from Kyle. My posts will focus more on things happening in mainstream media or whatever I find interesting, relevant, or scandalous. Enjoy!<\/em> \ud83d\udda4<\/p>\n\n\n\n

\n\n\n\n

Hi readers! I\u2019m back and this week we are going to talk about another alarming data leak. While all data leaks are concerning because personally identifiable information (otherwise known as PII; think email address, name, address, credit card information, etc.) is made available to bad actors, there are some data leaks that expose, what I believe, to be even more sensitive information\u2026and this is what happened in 2023.<\/p>\n\n\n\n

Unless you have been living under a rock, you\u2019ve probably heard about companies where with a simple cheek swab you can send them your DNA and find out your ancestry<\/a> or find out more about your health<\/a> through your genetics. Heck, you can even do DNA testing for your dog<\/a> (we don\u2019t need a DNA test to know our Chief Barking Officer<\/a> is 90% queen and 10% cookie monster). I can totally understand the allure of tracing your ancestry and of learning more about your genetics to help inform your medical care, but I would also caution y\u2019all to do your due diligence prior to giving companies your literal DNA because as we have learned from previous data leaks, no data is truly 100% secure.<\/p>\n\n\n\n

Let\u2019s take a look at what happened to 23andMe\u2026<\/p>\n\n\n\n

In late 2023, a hacker stole the data of 6.9 million users of 23andMe, about half of the company\u2019s total users. The investigation revealed the hacker was able to [brute-force](https:\/\/www.fortinet.com\/resources\/cyberglossary\/brute-force-attack#:~:text=A brute force attack is,and organizations<\/a>‘%20systems%20and%20networks.) users\u2019 passwords (basically using trial and error) by using passwords available online from other data leaks (#donotreusepasswords). 23andMe reported to TechCrunch<\/a>, the data leaked was from users who opted-in to the company\u2019s DNA Relatives feature and included the \u201cperson\u2019s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location\u201d as well as uploaded photos. Other data was access using the Family Tree feature.<\/p>\n\n\n\n

\"\"
How strong is your password? Check out this graph to see how long it would take a hacker to brute force your password.<\/figcaption><\/figure>\n\n\n\n

The hacker, who goes by Golem (probably ripped from Gollum of \u201cLord of the Rings\u201d), posted on an online forum used by cybercriminals the Personally Identifiable Information of more than 1 million users with Jewish ancestry. The data included their full names, home addresses, and birth dates. According to The New York Times<\/a>, after a request was made by forum poster, Golem leaked the profile information of 100,000 Chinese customers.<\/p>\n\n\n\n

23andMe subsequently notified their users<\/a>, required them to change their passwords, and required new customers to setup two-step verification when creating accounts. There is also currently a lawsuit making it\u2019s way through the court systems. The class action lawsuit accuses 23andMe of \u201cfailing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles\u201d and \u201cfailing to notify customers with Chinese and Ashkenazi Jewish heritage that they appeared to have been specifically targeted, or that their personal genetic information had been compiled into \u2018specially curated lists\u2019 that were shared and sold on the dark web\u201d.<\/p>\n\n\n\n

According to the National Institutes of Health (NIH), there are little regulations or oversight for direct-to-consumer genetic testing companies<\/a>, unlike the companies that work directly with health care professionals. This lack of oversight and regulations includes what they can and can\u2019t do with your data and how they can (or don\u2019t) protect your data. Most of these companies have detailed information on their practices which can help you answer the following questions which are outlined by the NIH as being helpful to \u201cassess a company\u2019s privacy practices\u201d<\/a>\u2026<\/p>\n\n\n\n