Hacker Reacts to 23andme Data Leak
Skills:
Security Basics80%
Key Takeaways
LiveOverflow reacts to the 23andme data leak, discussing cybersecurity and data protection responsibilities
Full Transcript
in this video I want to share another controversial security take off mine and this is that we desperately need a driver's license for the internet because there's one condition I find extremely extremely important and that is people have to know that they have to use secure passwords and that they should not be shared between sites people should only be allowed to use the internet after they signed the paper saying yes I'm am Dum when I reuse the password and it's my own fault when my accounts get access because of that some of you might now be shocked and think well no we should make the internet secure by default people shouldn't have to care about these things we are failing as a security industry if we are not able to solve this issue but I say you are wrong so hear me [Music] out so a couple of days ago there was this breaking news about the genetics firm 23 and me to confirm a data theft in a credential stuffing attack I don't have to explain what 23 and me is right you all saw the advertisements the past few years this is the DNA testing kits where you you know get a case at home you send in your DNA and then you get an analysis of your DNA and because everybody is so sensitive about the DNA considering that extremely personal and private information of course the media is going crazy now about this 23m user data stolen and targeted attack on ashkanazi juice the reason why they say a targeted attack is because the people that were leaking that data were initially selling or offering a list of only ashkanazi Jews which is clearly pretty anti-semitic but what exactly happened why am I saying that there should be a driver's license for the password usage screenshots were also shared from the data being sold or offered on forums here's also the price for how many profiles and it turns out to be legit 23 and me confirmed that the data is legitimate but the important fact is that there was no security issue in 23 and me the hacker used credentials from other breach to access 23 and me accounts I have to admit it was made a little bit worse in this case because there is this DNA relatives feature so when you signed up to 23 and me they will match you with some distant relatives based on your DNA and when you logged into your account you could see other people that are relatives of yours so with one valid login you maybe are able to actually get the data of dozens of people if they are relatives of that person and that sucks a little bit I agree but on the other hand it appears to be an optin option this is a feature that you want to be able to discover your relatives so in some way you also want your information to be a little bit more public so slowly we understand the issue apparently there were breaches in the past with usernames or emails and passwords and they were used on 23 and me they were trying the same credentials and see if they could log in and when they found a valid login they were able to scrape that profile's data and maybe even scrape the information from the relatives as well this way they were able to assemble a pretty huge data set of people signing up to 23 and me but is 23 and me at fault now well 23 and me has offered two Factor authentication since 2019 but of course in reality is people are not using it the people that have secure passwords and make sure to not reuse passwords are usually also the people that use twoof Factor authentication the credentials that were used to were probably the less technical ones that don't really understand the importance of keeping the password secure so in my opinion there was no security issue at all at 23 and me and yet 23 and me is in the news with a data breach it makes it look extremely extremely bad for the company now I do think 23 and me could have done a little bit more I do find it quite surprising that they were able to log in this easily with so many accounts so I'm asking myself whether there was no rate limiting on the login at all to try out these millions or hundreds of thousands of accounts but on the other hand if there's rate limiting you can kind of also easily bypass it using tour or something you have to be very aggressive protecting your login it's really not that simple you could also Implement some things like if the IP changes for example of the login you could ask well enter here the security code we sent to you via email that is basically a forced two- Factor authentication that adds a little bit of friction to the login but would in this case have been extremely helpful preventing this issue so I do think there are some lessons learned on what companies should implement but again for me it's not a security issue and I still have this urge to defend 23 and me because I feel like the massive negative news that they are now getting and people not really understanding the technical details because I assure you most people that read that news that have no clue about it security they will think 23 and me got hacked I'm pretty sure when people talk about this to their friends they say oh my data from 23 and me got hacked and I do think this is a huge problem for our industry because it's this fear mongering this fear of hackers hackers are taking our daytime they can hack into everything I think that's a huge problem on the other hand the security industry really likes these kind of news because every time there's news like this there's an uptick in people signing up for some security services so there's a very shitty balance at play I do feel still defensive of the company because I think the real responsibility lies in a shared responsibility of all these hundreds of thousands of accounts that got hacked because these individuals these people were irresponsible with their password and we have seen these kind of data leaks many times before for example the Facebook Cambridge analytica data Scandal I feel like in the popular news it was put there as if Facebook was willingly selling or giving away this data or some even say that it was like hacked this kind of data but in reality Cambridge analytica built this Facebook app and people willingly wanted to use this this is your Digital Life app the people willingly use used this app and gave away their data Facebook got huge issues because of that and I'm sitting there and thinking no I don't feel like Facebook is at fault here all the people that were willingly giving away this information that being said not sure about the exact details of the privacy policy stuff I think of course there are legal arguments to be made whether this was clearly communicated to the user that they were giving away the data on the other hand even if it was clearly mentioned in the Privacy policies nobody's reading them so it in the end it really doesn't matter but I do think people need to understand that when they type in something private on a website it goes to some company you are sharing that willingly and also interesting I think is this paper that I've referenced a few times in the past it's a super insightful paper that revealed some stats around this credential stuffing like using compromised credentials from something else and use them then on another platform and for example they are saying here a typical credential stuffing attack has up to a 2% success rate on major websites and in other words with a set of 1 million stolen passwords from one website attackers can easily take over 20,000 accounts and the paper lists in detail the data that they had and look at these data sets there were 1.9 billion credential leak victims fishing compared to that is so much lower on the other hand looking at the risk is also interesting of course a credential leak has a low probability to work we just heard the stat of like maybe 2% that it would work a fishing kit if it's successful to get the credentials of course has an extremely high hijack ratio to be able to then be successful because it's the real credentials in the end it's a game of numbers and you can see credential leaks are the major issues online for people getting their accounts hacked so now let's come back to my controversial security opinion why do I think that you need a driver's license or understand kind of the risk associated with passwords well let me prefix that and say that I do agree that if there are technical Tech Solutions if there are actual security bucks that we can fix then we must fix them we should never expect people to work around real security issues that we can't fix but identity authentication and authorization is a fundamental issue that it's extremely difficult to solve how do you build a technical solution to identify people I watch some American courts and think about this issue do you know if the person sitting there is really the identity who you think it is a very common question by the judge to some witnesses is can you identify this person to be this person so even in a court case you rely on multiple people confirming yes this is the correct person so proving identity is extremely extremely difficult and this is what you do with a username and password the password is a shared secret between you and the company when you sign up with a password you give a secret password to the service and when you knock at the door and they ask password please you provide that secret password that only you are supposed to know and if you think about it this way and you reuse the password then you tell multiple different websites the same secret immediately you are sharing your secret with multiple different people with multiple different places so it's just a matter of time that one of these people starts speaking or leaking or their database gets compromised and now they can use that credential on another website and I think understanding this concept of the shared secret is something we can expect adults to to take seriously we expect adults to take responsibility in life all the time for example when driving a car we do expect the manufacturer to provide a reasonably safe car but in the end the adult is still driving the death machine and if they want to they can hit that gas pedal and drive off a cliff and they have to make a driver's license and understand the risk and understand how to operate this vehicle because we cannot expect the manufacturer to prevent the car from driving off a cliff and I think after Decades of not being able to solve the issue with passwords and identity we just have to accept that passwords are a responsibility of us individuals we cannot expect and we shouldn't expect companies to solve that issue because it cannot be solved it's a fundamental issue and like I said there are millions of other things where we can improve en force and regulate to make things more secure but with passwords or Secrets shared between multiple places I think you the user bear the responsibility for it if I reuse the password for the same Services then definitely shame on me I knew better and I still did it that's exactly like if I drive a car faster than I should I understand the responsibility I do it regardless and it's my own fault if it happens if you appeared in the 23 and me league and it was not your fault it was not your account because that was Secure and it was this relative feature you should not be angry at 23 and me you should be angry at your relative who is careless with their secret password that's my controversial security take feel free to argue with me in the comments but if you like my security takes and you want to learn about real hacking and real security issues check out our website hex.io where we are teaching it security we're still in the beta phase but you can sign up for the waiting list right now and if you are interested in more videos check out some of the videos here or check out my main Channel live overflow [Music] bye
Original Description
Learn Hacking (ad): https://hextree.io/
Buy my font (ad): https://shop.liveoverflow.com/
=[ 📄 Info. ]=
mattjay's Tweet: https://twitter.com/mattjay/status/1710370423311888724
Main Channel: https://youtube.com/@LiveOverflow
Support LiveOverflow:
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Instagram: https://instagram.com/LiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Twitch: https://twitch.tv/LiveOverflow
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Chapters:
00:00 - Intro
00:50 - 23andme Data Theft
03:44 - 23andme responsibilities?
05:33 - Facebook Cambridge Analytica
06:40 - Compromised Accounts Paper
07:44 - Personal Responsibility
10:54 - Outro
=[ 📄 P.S. ]=
Hack the Planet!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveUnderflow · LiveUnderflow · 42 of 42
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
▶
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
Hacking Skills Perspective
LiveUnderflow
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
Password Cracking Explained | ReHacked
LiveUnderflow
HTTP Desync Attack Explained With Paper
LiveUnderflow
Better than Stack Overflow for Development
LiveUnderflow
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
How To Exploit a Heap Overflow
LiveUnderflow
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
Analytics from 7 Years on YouTube...
LiveUnderflow
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
"Remove the video as soon as possible"
LiveOverflow
Arm®-based Video
LiveOverflow
How to make good HACKING videos
LiveOverflow
LEEROY fällt auf HACKER rein?
LiveOverflow
Hacking for an Intelligence Agency
LiveOverflow
Tier List of My Worst Tweets
LiveOverflow
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
Hacker Reacts to 23andme Data Leak
LiveOverflow
More on: Security Basics
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
I Spent Weeks Looking for a Research Gap Before I Realized I Was Searching the Wrong Way
Medium · AI
ICMI 2026 Reviews [D]
Reddit r/MachineLearning
Workshop submission for main conference paper under review [D]
Reddit r/MachineLearning
Kept context-switching between arxiv, OpenReview, GitHub, and HuggingFace for every paper, so I built this. Chrome extension + website with everything inline, plus citation graph + SPECTER2 neighbors. 3M papers, free, feedback welcome [P]
Reddit r/MachineLearning
Chapters (7)
Intro
0:50
23andme Data Theft
3:44
23andme responsibilities?
5:33
Facebook Cambridge Analytica
6:40
Compromised Accounts Paper
7:44
Personal Responsibility
10:54
Outro
🎓
Tutor Explanation
DeepCamp AI