MyHeritage, a DNA Testing and Ancestry Service, Announces Data Breach of Over 92 Million Account Details (vice.com) 117
Joseph Cox, reporting for Motherboard: Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage. The data relates to users who signed up to MyHeritage up to and including October 26, 2017 -- the date of the breach -- the announcement adds. Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website. In all, the breach impacted 92,283,889 users, according to MyHeritage's disclosure.
Re: (Score:2)
The ancestry data is pretty much public. So that's no real loss. These services all share that kind of stuff quite widely. It's kind of why they are even remotely useful at all.
The DNA data is a bit more interesting/private though.
your mother's maiden name (Score:3)
or your father's middle name are now useless security questions. Along with your SS number, address, home telephone, ....
Re: (Score:3)
take the security question. Hash it with your own secret salt. give that as the answer.
Re: (Score:3)
The problem is many times answers are restricted to drop down responses or are tied to actual data about you (like past addresses, phone numbers, etc.).
Another issue is that these are the things the customer service reps can see if you ever get locked out and need to call them.
Good luck reading out a random password over the phone. No, BACKslash. It's going from top left to bottom right. No no, that's the grave / backtick.
Er, no (Score:4, Informative)
Questions may be restricted, but the responses can be anything you choose. Your first car? Fattybut. Name of second school? 902010 etc
Re: (Score:2)
Questions may be restricted, but the responses can be anything you choose.
Not always, unfortunately. And certainly not when they're using any info backed by the big 3 monsters (Equifax, Transunion, and Experian) that you may be forced to prove if something fucks up, such as living at a certain address, having a phone number, having a specific loan / financial account, etc.
I have in my KeePass file notes that for certain security questions I have to answer incorrectly because the data they have on file is wrong. For example, they think my main phone number is a land line when it
Re: (Score:2)
Re: (Score:2)
Not all of the forms I've dealt with let you put in anything you want. Some are drop down or radio button controls tied to a set of options. This is frequently the case when they use a data set backed by "true" info about you (that they typically pull from the 3 major credit unions).
Your mother's maiden name is *******?
Re: your mother's maiden name (Score:2)
It became illegal to use SSN as an identifier for private companies a while back. The same should be for the security questions.
Of course my mother's maiden name is a 32 byte hex string, so good luck with that. I had a bank employee thank me for having something that could not be easily hacked.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And to do so you'd need to physically be there, and risk physically getting shot in the fucking gut.
Nay lads, bad biology (Score:2)
It's an eating gut. Use your willy for the other activity.
Gives a whole new meaning: Who's your daddy? (Score:3)
With the security breach it kind of gives a whole new meaning to:
Who's your daddy? :-/
On a related note:
When are we going to start fining companies that suffer a security breach?
Until there is a financial penalty companies have very little motivation to take security seriously.
Re:Gives a whole new meaning: Who's your daddy? (Score:5, Interesting)
>Who's your daddy?
In my family's case, it was "Who's your uncle?" and "Who's your cousin?".
My wife's bible bashing, holier than thou grandfather was dipping his wick in many places it seems. The denial on the part of the bible bashing, holier than thou, next generation was remarkable.
23andme uncovered these things.
Re: (Score:1)
Re: (Score:2)
Yawn.
The truth makes you sleepy?
That's a medical problem that needs a name.
Re: (Score:2)
Re: (Score:2)
Some family members were forking everything in sight.
Re: (Score:2)
With the security breach it kind of gives a whole new meaning to:
Who's your daddy? :-/
On a related note:
When are we going to start fining companies that suffer a security breach?
Until there is a financial penalty companies have very little motivation to take security seriously.
You punish a company that doesn't take security seriously by taking your business elsewhere.
We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly. We don't legally punish Target for being the victim of shoplifting. You don't arrest rape victims for being raped (even if they wore revealing clothing and didn't learn to defend themselves with kung-fu).
Charging the victim isn't an option.
As a consumer, sure, you have the right to take your business
Re:Gives a whole new meaning: Who's your daddy? (Score:5, Insightful)
We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly.
> That's because I'm not generally storing my stuff in my neighbor's house. However if I loan my lawnmower to my neighbor, and it gets stolen because he left his garage door open overnight, he is generally responsible civilly for my loss.
Re: (Score:2)
We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly.
> That's because I'm not generally storing my stuff in my neighbor's house. However if I loan my lawnmower to my neighbor, and it gets stolen because he left his garage door open overnight, he is generally responsible civilly for my loss.
Sorry to be a wet blanket here, but since when do you own anything on someone else's computer?
That doesn't matter. The reason the neighbor would be liable for your loss isn't just because something that you own was stolen. The reason is that their actions, or lack thereof, caused you financial harm.
Re: (Score:3)
Sorry to be a wet blanket here, but since when do you own anything on someone else's computer?
I own dollars and Euros that have no physical existence except in my banks' computers. Ditto cryptocurrencies. Many people own copyrighted commercial and private personal information stored on someone leases computers in the cloud. Location does not equate to ownership.
Re: (Score:2)
Fucked up analogy.
You're suggesting that DNA shit is something you can file for, and have the company return it back to you, in its entirety so you can give it to another business.
Also, strangers don't have their goddam personal property or data in your unlocked house.
Litigation is the ONLY solution to this bullshit.
Re: (Score:2)
Fucked up analogy.
You're suggesting that DNA shit is something you can file for, and have the company return it back to you, in its entirety so you can give it to another business.
Also, strangers don't have their goddam personal property or data in your unlocked house.
Litigation is the ONLY solution to this bullshit.
It's not your data. It's their data because you gave it to them. Now, I'm all for changing privacy laws to be more like European privacy laws- but you can't say you had YOUR data stolen when as it sits in the law it isn't your data- it's the web company's data.
Re: (Score:3)
You should sign up on a site called, "Slashdot ... News For Nerds; Stuff That Matters"
They have stories [slashdot.org] that can help you understand.
Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules
Re: (Score:2)
You should sign up on a site called, "Slashdot ... News For Nerds; Stuff That Matters"
They have stories [slashdot.org] that can help you understand.
Nah... I stay away from there, that place is full of idiots. :)
Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules
Sure... you're welcome to try suing in a civil court if you like. 9 times out of 10 you'll probably fail. Yahoo might actually be one of those rare exceptions because it wasn't just negligence it was gross negligence. They weren't just insecure- they KNEW they were insecure and actively did nothing.
If you think you own the data you give to companies like Facebook, and MyHeritage, etc, you're bound to be disappointed in the long run. You migh
Re: (Score:2)
>You're suggesting that DNA shit is something you can file for, and have the company return it back to you, in its entirety so you can give it to another business.
That's exactly how it works. You can download it and give it to another business, like Promethease or Genetic Genie or Nutrahacker.
Re: (Score:2)
I'm going to go to space and change mine so it's no longer useful to them. Then I'll be able to count on one hand the seven reasons I'm never doing business with them again.
Re: (Score:2)
I'm going to go to space and change mine so it's no longer useful to them. Then I'll be able to count on one hand the seven reasons I'm never doing business with them again.
You don't have to go that far, Chernobyl and Fukushima are both accessible w/o a rocket...
Re: (Score:2)
When are we going to start fining companies that suffer a security breach?
Just as soon as money gets out of politics.
GDPR... (Score:1)
Re: (Score:2)
...or you just don't care anymore because that particular cat is out of the bag already.
Although this really only becomes a problem if DNA based discrimination is allowed. If that's the case, then you will be coerced into creating this data. Would be abusers won't need to depend on a data breach.
This ought to be particularly alarming (Score:4, Insightful)
DNA testing results are particularly sensitive information. While these sites use the information to identify ancestry, they can also test for genetic risk factors for developing various illnesses. That information may be very useful to individuals who can make lifestyle and medical decisions to mitigate those risks. Unfortunately, that information can also be used by insurance companies to deny coverage and by potential employers to not hire people who are at higher risks to develop some medical conditions.
There needs to be a certification process for handing sensitive data, meaning that businesses must be certified before they're legally allowed to handle information like DNA test results. That certification process should require third party audits to ensure that various standards are met. This would be followed up with random unannounced periodic checks to ensure that the business is still in compliance with those standards. Any business that is handling such data without certification should be subject to penalties at least as severe as if all the sensitive data was compromised in a breach. There needs to be standards for handling sensitive data and a certification process to ensure that the data is handled properly.
Re: (Score:3)
No, banning hacking is already covered by laws such as the CFAA, and you know that. Besides, this breach wasn't the result of a hack. The data was left unsecured on a server. Your comment isn't helpful. As for bans on hacking a much better idea to improve stricter standards on the handling of information like DNA test results. A fairly straightforward solution in the United States would be to make businesses like MyHeritage subject to the data protections included in HIPAA. If you're handing DNA information and doing business in the United States, you would be subject to that law.
I'd actually be very, very surprised if HIPAA doesn't already cover DNA information, especially given that there are laws specifically in place covering genetic privacy to pretty much because it was decided that genetic discrimination is a problem that is most easily solved before it's particularly feasible.
Data (Score:2)
Every gods-be-damned WEEK. (Score:2)
You all have exactly TEN SECONDS to justify to me why, in 2018, with this shit happening every gods-be-damned week, you'd ever sign up for any internet service that requires your real name and other personal information. Lunacy, it's all lunacy.
Re: (Score:2)
_I_ didn't. My family - my mother in law specifically - may very well have. She still can't get over our marriage and yes she is the cranky old bat type.
I highly doubt these companies require consent from everyone involved. Those databases are used by Government agencies after all.
And sometimes those databases are used to catch a serial killer [apnews.com]...
Of course the serial killer didn't give any consent, but he was apparently identified anyhow by tracing through a third cousin who uploaded their dna profile...
The beauty of it. (Score:2)
*You* may not give up this information, but someone who has all of your personal information in their contacts on their phone may.
It's a clusterfuck.
Re: (Score:2)
Re: (Score:2)
Well congrats you are the unicorn who knows for a 100% fact that no one in the world has any personal information about you stored on their phone or elsewhere. I figured in this day you would have to live in the forest and never make contact with anyone to achieve that goal but here you are. The rest of us have family and friends and even acquaintances who may do this unbeknownst to us. Also data mining companies pretty much have all of your information anyway from decades of public records and 'PII for
Re: (Score:1)
By the way; Slashdot is a form of social media.
LOL maybe you basement dwelling neckbeards believe that, but since all Slashdot knows about me is a totally fake name and an email address, that really doesn't count for anything.
Be a yellow-bellied abject fucking coward and accept the governmental and corporate erection up your ass all you like, buddy, if that's what makes you happy. Maybe they'll even give you a nice kiss afterwards, if you ask nicely for seconds. Fucking loser won't even be bothered to fight, LOL.
the breach impacted 92,283,889 users (Score:2)
Why? Don't go to those other guys to get my info as it might be incorrect. At least retrieve it from the authoritative source where it's supposed to be right.
I could also host a comment section in case anyone discovers something actually IS incorrect. Hell, you're already using my data, you might as well help me correct any inadvertent errors while you're at it.
By the way, the security PI
And do you know what their website says right now? (Score:2)
Spring Special
50% discount on the MyHeritage Complete plan, for the next few days only!
Learn more
So you have a breach SIX MONTHS AGO and not only do you not tell anyone, but the day you supposedly announce it, that doesn't seem to make it to your page? Really?
So, true story (Score:2)
Anyway, checked my profile, and I used my hotmail account and filled out the forms using a single letter for each field. I blame genetics for my paranoia.
Re: (Score:2)
That was my first thought. I wonder how anonymized the data was? I'm sure there is a unique identifiers (or serial number) for the data, which is linked to the serialized spit bottle, which is linked to a purchase order and payment information. So much for anonymization protecting us.
Now with it in the wild, you don't even need the unique identifier as the your DNA will provide that. But then again, its unlikely your insurance companies don't already have that information. Certain laws state they can't use
sheesh! (Score:2)
Serously (Score:1)
Can you express what it's like being that deep in the spectrum? Use your words...
Re: (Score:1, Insightful)
Donald Trump promised to commit treason?
Re: (Score:1)
Donald Trump promised to commit treason?
Yep. He promised to commit treason (although as the President, he says he can't commit treason) and then pardon himself, just to show that it can be done and he can do it.