Hacker Reacts to 23andme Data Leak

LiveOverflow · Beginner ·📄 Research Papers Explained ·2y ago

Key Takeaways

LiveOverflow reacts to the 23andme data leak, discussing cybersecurity and data protection responsibilities

Full Transcript

in this video I want to share another controversial security take off mine and this is that we desperately need a driver's license for the internet because there's one condition I find extremely extremely important and that is people have to know that they have to use secure passwords and that they should not be shared between sites people should only be allowed to use the internet after they signed the paper saying yes I'm am Dum when I reuse the password and it's my own fault when my accounts get access because of that some of you might now be shocked and think well no we should make the internet secure by default people shouldn't have to care about these things we are failing as a security industry if we are not able to solve this issue but I say you are wrong so hear me [Music] out so a couple of days ago there was this breaking news about the genetics firm 23 and me to confirm a data theft in a credential stuffing attack I don't have to explain what 23 and me is right you all saw the advertisements the past few years this is the DNA testing kits where you you know get a case at home you send in your DNA and then you get an analysis of your DNA and because everybody is so sensitive about the DNA considering that extremely personal and private information of course the media is going crazy now about this 23m user data stolen and targeted attack on ashkanazi juice the reason why they say a targeted attack is because the people that were leaking that data were initially selling or offering a list of only ashkanazi Jews which is clearly pretty anti-semitic but what exactly happened why am I saying that there should be a driver's license for the password usage screenshots were also shared from the data being sold or offered on forums here's also the price for how many profiles and it turns out to be legit 23 and me confirmed that the data is legitimate but the important fact is that there was no security issue in 23 and me the hacker used credentials from other breach to access 23 and me accounts I have to admit it was made a little bit worse in this case because there is this DNA relatives feature so when you signed up to 23 and me they will match you with some distant relatives based on your DNA and when you logged into your account you could see other people that are relatives of yours so with one valid login you maybe are able to actually get the data of dozens of people if they are relatives of that person and that sucks a little bit I agree but on the other hand it appears to be an optin option this is a feature that you want to be able to discover your relatives so in some way you also want your information to be a little bit more public so slowly we understand the issue apparently there were breaches in the past with usernames or emails and passwords and they were used on 23 and me they were trying the same credentials and see if they could log in and when they found a valid login they were able to scrape that profile's data and maybe even scrape the information from the relatives as well this way they were able to assemble a pretty huge data set of people signing up to 23 and me but is 23 and me at fault now well 23 and me has offered two Factor authentication since 2019 but of course in reality is people are not using it the people that have secure passwords and make sure to not reuse passwords are usually also the people that use twoof Factor authentication the credentials that were used to were probably the less technical ones that don't really understand the importance of keeping the password secure so in my opinion there was no security issue at all at 23 and me and yet 23 and me is in the news with a data breach it makes it look extremely extremely bad for the company now I do think 23 and me could have done a little bit more I do find it quite surprising that they were able to log in this easily with so many accounts so I'm asking myself whether there was no rate limiting on the login at all to try out these millions or hundreds of thousands of accounts but on the other hand if there's rate limiting you can kind of also easily bypass it using tour or something you have to be very aggressive protecting your login it's really not that simple you could also Implement some things like if the IP changes for example of the login you could ask well enter here the security code we sent to you via email that is basically a forced two- Factor authentication that adds a little bit of friction to the login but would in this case have been extremely helpful preventing this issue so I do think there are some lessons learned on what companies should implement but again for me it's not a security issue and I still have this urge to defend 23 and me because I feel like the massive negative news that they are now getting and people not really understanding the technical details because I assure you most people that read that news that have no clue about it security they will think 23 and me got hacked I'm pretty sure when people talk about this to their friends they say oh my data from 23 and me got hacked and I do think this is a huge problem for our industry because it's this fear mongering this fear of hackers hackers are taking our daytime they can hack into everything I think that's a huge problem on the other hand the security industry really likes these kind of news because every time there's news like this there's an uptick in people signing up for some security services so there's a very shitty balance at play I do feel still defensive of the company because I think the real responsibility lies in a shared responsibility of all these hundreds of thousands of accounts that got hacked because these individuals these people were irresponsible with their password and we have seen these kind of data leaks many times before for example the Facebook Cambridge analytica data Scandal I feel like in the popular news it was put there as if Facebook was willingly selling or giving away this data or some even say that it was like hacked this kind of data but in reality Cambridge analytica built this Facebook app and people willingly wanted to use this this is your Digital Life app the people willingly use used this app and gave away their data Facebook got huge issues because of that and I'm sitting there and thinking no I don't feel like Facebook is at fault here all the people that were willingly giving away this information that being said not sure about the exact details of the privacy policy stuff I think of course there are legal arguments to be made whether this was clearly communicated to the user that they were giving away the data on the other hand even if it was clearly mentioned in the Privacy policies nobody's reading them so it in the end it really doesn't matter but I do think people need to understand that when they type in something private on a website it goes to some company you are sharing that willingly and also interesting I think is this paper that I've referenced a few times in the past it's a super insightful paper that revealed some stats around this credential stuffing like using compromised credentials from something else and use them then on another platform and for example they are saying here a typical credential stuffing attack has up to a 2% success rate on major websites and in other words with a set of 1 million stolen passwords from one website attackers can easily take over 20,000 accounts and the paper lists in detail the data that they had and look at these data sets there were 1.9 billion credential leak victims fishing compared to that is so much lower on the other hand looking at the risk is also interesting of course a credential leak has a low probability to work we just heard the stat of like maybe 2% that it would work a fishing kit if it's successful to get the credentials of course has an extremely high hijack ratio to be able to then be successful because it's the real credentials in the end it's a game of numbers and you can see credential leaks are the major issues online for people getting their accounts hacked so now let's come back to my controversial security opinion why do I think that you need a driver's license or understand kind of the risk associated with passwords well let me prefix that and say that I do agree that if there are technical Tech Solutions if there are actual security bucks that we can fix then we must fix them we should never expect people to work around real security issues that we can't fix but identity authentication and authorization is a fundamental issue that it's extremely difficult to solve how do you build a technical solution to identify people I watch some American courts and think about this issue do you know if the person sitting there is really the identity who you think it is a very common question by the judge to some witnesses is can you identify this person to be this person so even in a court case you rely on multiple people confirming yes this is the correct person so proving identity is extremely extremely difficult and this is what you do with a username and password the password is a shared secret between you and the company when you sign up with a password you give a secret password to the service and when you knock at the door and they ask password please you provide that secret password that only you are supposed to know and if you think about it this way and you reuse the password then you tell multiple different websites the same secret immediately you are sharing your secret with multiple different people with multiple different places so it's just a matter of time that one of these people starts speaking or leaking or their database gets compromised and now they can use that credential on another website and I think understanding this concept of the shared secret is something we can expect adults to to take seriously we expect adults to take responsibility in life all the time for example when driving a car we do expect the manufacturer to provide a reasonably safe car but in the end the adult is still driving the death machine and if they want to they can hit that gas pedal and drive off a cliff and they have to make a driver's license and understand the risk and understand how to operate this vehicle because we cannot expect the manufacturer to prevent the car from driving off a cliff and I think after Decades of not being able to solve the issue with passwords and identity we just have to accept that passwords are a responsibility of us individuals we cannot expect and we shouldn't expect companies to solve that issue because it cannot be solved it's a fundamental issue and like I said there are millions of other things where we can improve en force and regulate to make things more secure but with passwords or Secrets shared between multiple places I think you the user bear the responsibility for it if I reuse the password for the same Services then definitely shame on me I knew better and I still did it that's exactly like if I drive a car faster than I should I understand the responsibility I do it regardless and it's my own fault if it happens if you appeared in the 23 and me league and it was not your fault it was not your account because that was Secure and it was this relative feature you should not be angry at 23 and me you should be angry at your relative who is careless with their secret password that's my controversial security take feel free to argue with me in the comments but if you like my security takes and you want to learn about real hacking and real security issues check out our website hex.io where we are teaching it security we're still in the beta phase but you can sign up for the waiting list right now and if you are interested in more videos check out some of the videos here or check out my main Channel live overflow [Music] bye

Original Description

Learn Hacking (ad): https://hextree.io/ Buy my font (ad): https://shop.liveoverflow.com/ =[ 📄 Info. ]= mattjay's Tweet: https://twitter.com/mattjay/status/1710370423311888724 Main Channel: https://youtube.com/@LiveOverflow Support LiveOverflow: → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join =[ 🐕 Social ]= → Twitter: https://twitter.com/LiveOverflow/ → Instagram: https://instagram.com/LiveOverflow/ → TikTok: https://www.tiktok.com/@liveoverflow_ → Twitch: https://twitch.tv/LiveOverflow → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ Chapters: 00:00 - Intro 00:50 - 23andme Data Theft 03:44 - 23andme responsibilities? 05:33 - Facebook Cambridge Analytica 06:40 - Compromised Accounts Paper 07:44 - Personal Responsibility 10:54 - Outro =[ 📄 P.S. ]= Hack the Planet!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 42 of 42

← Previous Next →
1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
14 Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
17 Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
19 HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
28 Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
29 Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
35 "Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

The video discusses the 23andme data leak and its implications on cybersecurity and data protection, highlighting the importance of personal responsibility and basic security measures.

Key Takeaways
  1. Learn about the 23andme data leak
  2. Understand the consequences of data leaks
  3. Recognize the importance of personal responsibility in cybersecurity
  4. Explore basic cybersecurity measures
  5. Research the Facebook Cambridge Analytica scandal
💡 Personal responsibility is crucial in maintaining cybersecurity and protecting personal data

Related AI Lessons

I Spent Weeks Looking for a Research Gap Before I Realized I Was Searching the Wrong Way
Learn how to effectively find research gaps by changing your approach, a crucial skill for AI researchers and academics
Medium · AI
ICMI 2026 Reviews [D]
Learn how to interpret ICMI 2026 reviews and improve your paper's acceptance chances
Reddit r/MachineLearning
Workshop submission for main conference paper under review [D]
Learn how to navigate submitting a paper to a non-archival workshop before the final decision of a main conference like ECCV
Reddit r/MachineLearning
Kept context-switching between arxiv, OpenReview, GitHub, and HuggingFace for every paper, so I built this. Chrome extension + website with everything inline, plus citation graph + SPECTER2 neighbors. 3M papers, free, feedback welcome [P]
Streamline your research with a new Chrome extension and website that integrates 3M papers from arxiv, OpenReview, GitHub, and HuggingFace, including citation graphs and SPECTER2 neighbors, and provide feedback to improve it
Reddit r/MachineLearning

Chapters (7)

Intro
0:50 23andme Data Theft
3:44 23andme responsibilities?
5:33 Facebook Cambridge Analytica
6:40 Compromised Accounts Paper
7:44 Personal Responsibility
10:54 Outro
Up next
Beyond Big Vendors: ERP Systems Explained #shorts
Digital Transformation with Eric Kimberling
Watch →