23andMe admits hackers stole raw genotype data - and that cyberattack went undetected for months | Firm says it didn’t realize customers were being hacked::Firm says it didn’t realize customers were being hacked

  • jonne@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    11 months ago

    Ah ok, didn’t know we knew those details. I guess they found an API endpoint that allowed them to do this that isn’t exposed through the website.

    • huginn
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      11 months ago

      The official RCA is credential stuffing.

      Reused passwords are a bitch.

      The main surprise is that you were able to get to genomic data with just a password. I thought it was only ever sent over email to the account email.

      Maybe the attack involved changing email as well?