Quote:The same hacker who leaked a trove of user data stolen from the genetic testing company 23andMe two weeks ago has now leaked millions of new user records.
On Tuesday, a hacker who goes by Golem published a new dataset of 23andMe user information containing records of four million users on the known cybercrime forum BreachForums. TechCrunch has found that some of the newly leaked stolen data matches known and public 23andMe user and genetic information.
Golem claimed the dataset contains information on people who come from Great Britain, including data from “the wealthiest people living in the U.S. and Western Europe on this list.”
23andMe spokesperson Andy Kill said in an emailed statement that the company was made aware of this new leak today, and that it is “reviewing the data to determine if it is legitimate.”
On October 6, 23andMe announced that hackers had obtained some user data, claiming that to amass the stolen data the hackers used credential stuffing — a common technique where hackers try combinations of usernames or emails and corresponding passwords that are already public from other data breaches.
In response to the incident, 23andMe prompted users to change their passwords and encouraged switching on multi-factor authentication. On its official page addressing the incident, 23andMe said it has launched an investigation with help from “third-party forensic experts.” 23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called DNA Relatives, which allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, in theory it would allow hackers to scrape data on more than one user by breaking into a single user’s account.
He gives people the chance of being excluded from this leak if one deletes one's account until today Sunday.
I knew about the hack. I haven't been on the site for awhile. I tried to acess my dna matches but it seems as if most of them have been disbaled, with the following notice from 23andMe: "We have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect your privacy. Read more here." Anybody else experience this?
(10-21-2023, 11:25 PM)leonardo Wrote: I knew about the hack. I haven't been on the site for awhile. I tried to acess my dna matches but it seems as if most of them have been disbaled, with the following notice from 23andMe: "We have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect your privacy. Read more here." Anybody else experience this?
(10-21-2023, 11:25 PM)leonardo Wrote: I knew about the hack. I haven't been on the site for awhile. I tried to acess my dna matches but it seems as if most of them have been disbaled, with the following notice from 23andMe: "We have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect your privacy. Read more here." Anybody else experience this?
I have same notice from 23andMe
It's kind of a bummer to not be able see new matches, in the event that there is a rather close one. Hopefully, they return such matches. Otherwise, the site isn't much use for me, as I am more interested in the matches than the health element.
(10-21-2023, 11:25 PM)leonardo Wrote: I knew about the hack. I haven't been on the site for awhile. I tried to acess my dna matches but it seems as if most of them have been disbaled, with the following notice from 23andMe: "We have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect your privacy. Read more here." Anybody else experience this?
I have same notice from 23andMe
It's kind of a bummer to not be able see new matches, in the event that there is a rather close one. Hopefully, they return such matches. Otherwise, the site isn't much use for me, as I am more interested in the matches than the health element.
Yes this is very bummer , me too i'm interested in matches more
10-22-2023, 12:12 AM (This post was last modified: 10-22-2023, 12:17 AM by NixYO.)
(10-21-2023, 11:25 PM)leonardo Wrote: I knew about the hack. I haven't been on the site for awhile. I tried to acess my dna matches but it seems as if most of them have been disbaled, with the following notice from 23andMe: "We have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect your privacy. Read more here." Anybody else experience this?
Hm, interesting. I chose to panic and disabled all those DNA Relatives feature, asked them to delete my sample and then deleted my account.
I'll quote the hacker Golem himself here and add the time and date the posts were written (I guess the forum will give me my own time zone, which is UTC+01:00?), but shall not link the hacker forum directly and retract some stuff from his posts, because I don't think this gets the attention it deserves:
10-17-2023, 08:12 PM (This post was last modified: 10-17-2023, 08:49 PM by Golem.)
Golem Wrote:The data includes information on all wealthy families serving Zionism.
You can see the wealthiest people living in the US and Western Europe on this list.
Even if just one person from a family takes this test, it provides very detailed information about third-generation cousins.
There are samples from hundreds of families, including the royal family, Rothschilds, Rockefellers, and more.
You can write to me in private messages for more detailed information like raw data.
I'm not a Muslim, but I'm holding myself back with difficulty from uploading hundreds of TBs of data to torrents due to the despicable Israel attacking the hospital.
After all, there are innocent people in these data. They don't need to be afraid; your important data is in safer hands than with 23andMe.
10-18-2023, 08:42 AM (This post was last modified: 10-18-2023, 09:00 AM by Golem.)
Golem Wrote:Olaf Scholz is darkening the future of Germans by serving Zionism.
For now, I am sharing only 1/3 of the profiles with German origins from the DB. If you don't correctly determine where you stand, I won't hesitate to share down to your cells.
The has_health key being false in these lists doesn't mean anything.
Each person has an average of 700,000 SNPs, and I can flawlessly expand this to up to 30M using the imputation method.
10-18-2023, 09:38 AM
Golem Wrote:I would like to remind you that even the data I'm sharing here is extremely valuable.
Some independent organizations spend millions of dollars on research to obtain this data. Not even one-thousandth of this data is found in any Y-DNA studies.
The region/subregion columns indicate that there are definitely common segments with other people living in that area.
I already have information on how many people each individual matches in that region.
The region column generally indicates a definite match with more than 100 people.
The subregion column, on the other hand, shows precise genetic locations. The margin of error is less than 1%.
10-18-2023, 10:14 PM
Golem Wrote:The company apparently sees these leaks not as a data breach, but as a violation of site rules. Well, I'm taking on a bit of the role of enlightening the public then; If the source of the leak is solely "credential stuffing attack," why haven't you taken measures against it even in 2023? There's only one login service on web and mobile platforms; why didn't you use captcha, turnstile, etc., there? Despite knowing that the user:pass data of 92 million users of MyHeritage, where many of your joint common members, including your CEO, are known to be, has been circulating for years, you took no action.
What's worse, there's no need for email verification even for a user to download raw data. Additionally, you don't necessarily have to download to obtain raw data. There are three different methods possible to take raw data directly from the db without downloading it. Is it the members' fault if your sense of security is terrible? What a foolish defense!
To extract data in this way from 14 million people, at least 100,000 credentials are needed because most members have common relatives. How did you not notice that 100,000 of your customers' accounts had been accessed? How did you not detect this while millions of data belonging to other users were being scraped? Why didn't you define a rate limit rule based on endpoint or parameter?
Suppose I did scrape profiles through the hacked accounts in the shared relatives list. But what about other vulnerabilities?
Here is the profile that belongs to the company's CEO -> [RETRACTED]
[RETRACTED]
(([RETRACTED] = Anne Wojcicki) Thought they'd be off the grid if they hid their name, huh? Idiot. Say hi to your mom for me: [RETRACTED])
[RETRACTED]
Is there anyone left who doesn't know Elon Musk's Y-DNA? His ancestors swam across the Indian Ocean from Southeast Asia to Madagascar, did they? Must've just let the current take them where it wanted. Quite the journey, huh? Talk about the spirit of adventure in his DNA!
[RETRACTED]
This Middle Eastern guy's practically related to the whole globe, huh? Kinda makes him deserving of being the founder of Google, doesn't it? Bridging connections, threading the human web – that's what it's all about in this digital age. Dude's got the world in his family tree; no wonder he's at the helm of the info universe.
How did I manage to acquire the information on shared segments per chromosome with position ranges between this profile and others? How did I aggregate the relative distance in centimorgans? If you have even a slight understanding of data, you'd realize that with just this vulnerability, one could accumulate the SNPs of 14 million individuals and perform matches with any human being. Also, no need to go through this trouble obtain raw data.
If you have no shame in deceiving people, your lies will be exposed like this with the data belonging to the owner of your company. You were already aware of the data breach for a long time.
10-19-2023, 10:23 PM
Golem Wrote:Even if it doesn't receive enough attention on the forum, thousands of posts have been written on social media about this topic right now.
Some people have asked me via private message why I deleted the topic about the first sale. I'm going to write for the sake of avoiding confusion. Also, it seems some cybersecurity companies are confused as well. They also appear to be unsatisfied with the company's statement.
We, as hackers, have been in the mix, ethical or not, millions of times. But we've always known where to draw the line when the stakes are humanity-level high. 2 weeks back, I dropped a surface-level dataset of millions of Ashkenazi folks registered with 23andMe right here in this forum. Barely got a whisper here, but it blew up big-time on the global news scene, with hundreds of thousands of tweets storming Twitter.
Why the Ashkenazi data, you ask? It's all 'cause of Anne Wojcicki, the big boss at this joint. Her biggest rival? None other than Theranos' head honcho, Anne Holmes. Same names, same games. And they're headed for the same downfall, trust.
The first share I made was like peanuts next to a beer. The real important data was in the raw data, health info, and relative connections of these people. And I got my hands on it all through three different sec holes. Was gonna sell this goldmine, but then I saw the fear in the eyes of innocent peeps on social media. Didn't have the heart to do 'em dirty like that, so I pulled the plug on the topic. Instead, I got chatty with the CEO's right-hand(kristen) 10 days ago. Laid it all out and offered to report the vulnerabilities and wipe every piece of data I had for a cool $100,000. Even threw in a freebie of one vulnerability to show I wasn't messin' around. This vulnerability I served on a platter lets you list hundreds of relatives/segments/positions of any user with whom you have no common segment through centimorgan.
In my previous message, I presented 3 different pieces of evidence for this.
The endpoint where the vulnerability is located => [RETRACTED]
By inputting the profile of the person you want into the [RETRACTED], you could see the relationship between that person and the users in [RETRACTED] based on segments, positions, centimorgans, and SNP count. Since I already had the haplogroup, origin, and location information of 14 million people, I found all the close relatives of any person with an average of 50 requests. For this, I wrote an advanced script and pulled all this data. I'm a real hacker; my life has not been spent with SIEM and WAF products like the 23andMe infosec team, but with writing programs.
There are even more critical vulnerabilities. The main problem of this company is that they think it's secure because the structure they use for [RETRACTED] is not sequential. I've shared the profiles of more than 5 million people so far, haven't I? You can send a message to any [RETRACTED] you want, even if they're not a relative. The entire structure on the website is similar to this. Instead of wasting time for every new match, they have followed such a scheme, and it has cost them dearly. There can be no compromise on security. This vulnerability I mentioned, as you see, was very simple but significant, and I had reported it to the company 10 days ago. I don't know if this vulnerability still persists.
Despite the report, the company goes and says there is no data breach in our systems. BS. With the other gaps, anyone could waltz right in and access users' raw data and health records.
The CEO, bagging $30 million a year, wouldn't shell out $100,000. I wasn't asking for ransom here; I offered a service worth 100 times that. Never in my life have I seen such a brain-dead, careless bunch. All of the conversations are recorded. They led me on for a full 5 days, and during this time, they snitched on me to the FBI. I told them a week ago that I would bring this circus down on their heads, and I've started to do just that.
The only crap the company's dared to spill so far is that the current leak's down to users recycling passwords from other websites. In other words, they're pinning it on their customers. Total lie. Access to any member's raw data, health deets, or shared segments? That's a security breach, clear as day.
Heads up to all 23andMe members: delete your account within 3 days, and you'll dodge this health and raw data leak mess. If not, your most precious info's hitting the market, no doubt about it. Don't say you weren't warned. After Sunday, I will check the presence of all members and sell the data of those who continue to be active.
10-20-2023, 10:37 AM
Golem Wrote:
Some other user Wrote:I think you claimed low amount. your data more valuable. if they didn't even give 100k, make the amount 5 million after today.
I think the decision-makers, especially the CEO, were swayed by vice presidents and consultants pretending to be experts but actually clueless. This mistake cost them dearly.
I want to emphasize, the CSV file I shared in this thread belonging to Musk, Brin, and Wojcicki contains data on Shared & Matching Segments of DNA, not DNA Relatives. This is a clear breach.
5 hours ago
Golem Wrote:
Yet another user Wrote:Blaming this on users is shitty move, not sure why companies do that instead of admit mistake learn and fix things.
I'm not sure either, to be honest. I had reported the vulnerability I wrote about in my last post for free during the negotiation process 13 days ago. Yesterday, they first blocked access to this endpoint through CloudFlare, then they fixed the vulnerability. This means that they learned about the existence of the vulnerability just yesterday, and the person I spoke with never even informed the infosec team about the vulnerability. You wouldn't entrust this company with a hashed password, let alone your DNA.
I gave people the opportunity to delete their memberships. When a membership is deleted, I can confirm this from a few different services.
10-22-2023, 12:23 AM (This post was last modified: 10-22-2023, 12:26 AM by leonardo.)
(10-22-2023, 12:12 AM)NixYO Wrote:
(10-21-2023, 11:25 PM)leonardo Wrote: I knew about the hack. I haven't been on the site for awhile. I tried to acess my dna matches but it seems as if most of them have been disbaled, with the following notice from 23andMe: "We have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect your privacy. Read more here." Anybody else experience this?
Hm, interesting. I chose to panic and disabled all those DNA Relatives feature, asked them to delete my sample and then deleted my account.
I'll quote the hacker Golem himself here and add the time and date the posts were written (I guess the forum will give me my own time zone, which is UTC+01:00?), but shall not link the hacker forum directly and retract some stuff from his posts, because I don't think this gets the attention it deserves:
10-17-2023, 08:12 PM (This post was last modified: 10-17-2023, 08:49 PM by Golem.)
Golem Wrote:The data includes information on all wealthy families serving Zionism.
You can see the wealthiest people living in the US and Western Europe on this list.
Even if just one person from a family takes this test, it provides very detailed information about third-generation cousins.
There are samples from hundreds of families, including the royal family, Rothschilds, Rockefellers, and more.
You can write to me in private messages for more detailed information like raw data.
I'm not a Muslim, but I'm holding myself back with difficulty from uploading hundreds of TBs of data to torrents due to the despicable Israel attacking the hospital.
After all, there are innocent people in these data. They don't need to be afraid; your important data is in safer hands than with 23andMe.
10-18-2023, 08:42 AM (This post was last modified: 10-18-2023, 09:00 AM by Golem.)
Golem Wrote:Olaf Scholz is darkening the future of Germans by serving Zionism.
For now, I am sharing only 1/3 of the profiles with German origins from the DB. If you don't correctly determine where you stand, I won't hesitate to share down to your cells.
The has_health key being false in these lists doesn't mean anything.
Each person has an average of 700,000 SNPs, and I can flawlessly expand this to up to 30M using the imputation method.
10-18-2023, 09:38 AM
Golem Wrote:I would like to remind you that even the data I'm sharing here is extremely valuable.
Some independent organizations spend millions of dollars on research to obtain this data. Not even one-thousandth of this data is found in any Y-DNA studies.
The region/subregion columns indicate that there are definitely common segments with other people living in that area.
I already have information on how many people each individual matches in that region.
The region column generally indicates a definite match with more than 100 people.
The subregion column, on the other hand, shows precise genetic locations. The margin of error is less than 1%.
10-18-2023, 10:14 PM
Golem Wrote:The company apparently sees these leaks not as a data breach, but as a violation of site rules. Well, I'm taking on a bit of the role of enlightening the public then; If the source of the leak is solely "credential stuffing attack," why haven't you taken measures against it even in 2023? There's only one login service on web and mobile platforms; why didn't you use captcha, turnstile, etc., there? Despite knowing that the user:pass data of 92 million users of MyHeritage, where many of your joint common members, including your CEO, are known to be, has been circulating for years, you took no action.
What's worse, there's no need for email verification even for a user to download raw data. Additionally, you don't necessarily have to download to obtain raw data. There are three different methods possible to take raw data directly from the db without downloading it. Is it the members' fault if your sense of security is terrible? What a foolish defense!
To extract data in this way from 14 million people, at least 100,000 credentials are needed because most members have common relatives. How did you not notice that 100,000 of your customers' accounts had been accessed? How did you not detect this while millions of data belonging to other users were being scraped? Why didn't you define a rate limit rule based on endpoint or parameter?
Suppose I did scrape profiles through the hacked accounts in the shared relatives list. But what about other vulnerabilities?
Here is the profile that belongs to the company's CEO -> [RETRACTED]
[RETRACTED]
(([RETRACTED] = Anne Wojcicki) Thought they'd be off the grid if they hid their name, huh? Idiot. Say hi to your mom for me: [RETRACTED])
[RETRACTED]
Is there anyone left who doesn't know Elon Musk's Y-DNA? His ancestors swam across the Indian Ocean from Southeast Asia to Madagascar, did they? Must've just let the current take them where it wanted. Quite the journey, huh? Talk about the spirit of adventure in his DNA!
[RETRACTED]
This Middle Eastern guy's practically related to the whole globe, huh? Kinda makes him deserving of being the founder of Google, doesn't it? Bridging connections, threading the human web – that's what it's all about in this digital age. Dude's got the world in his family tree; no wonder he's at the helm of the info universe.
How did I manage to acquire the information on shared segments per chromosome with position ranges between this profile and others? How did I aggregate the relative distance in centimorgans? If you have even a slight understanding of data, you'd realize that with just this vulnerability, one could accumulate the SNPs of 14 million individuals and perform matches with any human being. Also, no need to go through this trouble obtain raw data.
If you have no shame in deceiving people, your lies will be exposed like this with the data belonging to the owner of your company. You were already aware of the data breach for a long time.
10-19-2023, 10:23 PM
Golem Wrote:Even if it doesn't receive enough attention on the forum, thousands of posts have been written on social media about this topic right now.
Some people have asked me via private message why I deleted the topic about the first sale. I'm going to write for the sake of avoiding confusion. Also, it seems some cybersecurity companies are confused as well. They also appear to be unsatisfied with the company's statement.
We, as hackers, have been in the mix, ethical or not, millions of times. But we've always known where to draw the line when the stakes are humanity-level high. 2 weeks back, I dropped a surface-level dataset of millions of Ashkenazi folks registered with 23andMe right here in this forum. Barely got a whisper here, but it blew up big-time on the global news scene, with hundreds of thousands of tweets storming Twitter.
Why the Ashkenazi data, you ask? It's all 'cause of Anne Wojcicki, the big boss at this joint. Her biggest rival? None other than Theranos' head honcho, Anne Holmes. Same names, same games. And they're headed for the same downfall, trust.
The first share I made was like peanuts next to a beer. The real important data was in the raw data, health info, and relative connections of these people. And I got my hands on it all through three different sec holes. Was gonna sell this goldmine, but then I saw the fear in the eyes of innocent peeps on social media. Didn't have the heart to do 'em dirty like that, so I pulled the plug on the topic. Instead, I got chatty with the CEO's right-hand(kristen) 10 days ago. Laid it all out and offered to report the vulnerabilities and wipe every piece of data I had for a cool $100,000. Even threw in a freebie of one vulnerability to show I wasn't messin' around. This vulnerability I served on a platter lets you list hundreds of relatives/segments/positions of any user with whom you have no common segment through centimorgan.
In my previous message, I presented 3 different pieces of evidence for this.
The endpoint where the vulnerability is located => [RETRACTED]
By inputting the profile of the person you want into the [RETRACTED], you could see the relationship between that person and the users in [RETRACTED] based on segments, positions, centimorgans, and SNP count. Since I already had the haplogroup, origin, and location information of 14 million people, I found all the close relatives of any person with an average of 50 requests. For this, I wrote an advanced script and pulled all this data. I'm a real hacker; my life has not been spent with SIEM and WAF products like the 23andMe infosec team, but with writing programs.
There are even more critical vulnerabilities. The main problem of this company is that they think it's secure because the structure they use for [RETRACTED] is not sequential. I've shared the profiles of more than 5 million people so far, haven't I? You can send a message to any [RETRACTED] you want, even if they're not a relative. The entire structure on the website is similar to this. Instead of wasting time for every new match, they have followed such a scheme, and it has cost them dearly. There can be no compromise on security. This vulnerability I mentioned, as you see, was very simple but significant, and I had reported it to the company 10 days ago. I don't know if this vulnerability still persists.
Despite the report, the company goes and says there is no data breach in our systems. BS. With the other gaps, anyone could waltz right in and access users' raw data and health records.
The CEO, bagging $30 million a year, wouldn't shell out $100,000. I wasn't asking for ransom here; I offered a service worth 100 times that. Never in my life have I seen such a brain-dead, careless bunch. All of the conversations are recorded. They led me on for a full 5 days, and during this time, they snitched on me to the FBI. I told them a week ago that I would bring this circus down on their heads, and I've started to do just that.
The only crap the company's dared to spill so far is that the current leak's down to users recycling passwords from other websites. In other words, they're pinning it on their customers. Total lie. Access to any member's raw data, health deets, or shared segments? That's a security breach, clear as day.
Heads up to all 23andMe members: delete your account within 3 days, and you'll dodge this health and raw data leak mess. If not, your most precious info's hitting the market, no doubt about it. Don't say you weren't warned. After Sunday, I will check the presence of all members and sell the data of those who continue to be active.
10-20-2023, 10:37 AM
Golem Wrote:
Some other user Wrote:I think you claimed low amount. your data more valuable. if they didn't even give 100k, make the amount 5 million after today.
I think the decision-makers, especially the CEO, were swayed by vice presidents and consultants pretending to be experts but actually clueless. This mistake cost them dearly.
I want to emphasize, the CSV file I shared in this thread belonging to Musk, Brin, and Wojcicki contains data on Shared & Matching Segments of DNA, not DNA Relatives. This is a clear breach.
5 hours ago
Golem Wrote:
Yet another user Wrote:Blaming this on users is shitty move, not sure why companies do that instead of admit mistake learn and fix things.
I'm not sure either, to be honest. I had reported the vulnerability I wrote about in my last post for free during the negotiation process 13 days ago. Yesterday, they first blocked access to this endpoint through CloudFlare, then they fixed the vulnerability. This means that they learned about the existence of the vulnerability just yesterday, and the person I spoke with never even informed the infosec team about the vulnerability. You wouldn't entrust this company with a hashed password, let alone your DNA.
I gave people the opportunity to delete their memberships. When a membership is deleted, I can confirm this from a few different services.
I didn't realize he's giving people a chance to delete their info. Do you think he will actually be able to know who deleted and who didn't, therefore qualifying whose data he will release? I mean there are who knows how many accounts. I assume he got people's data. So, how will he know if somebody deleted it?
(10-22-2023, 12:23 AM)leonardo Wrote: I didn't realize he's giving people a chance to delete their info. Do you think he will actually be able to know who deleted and who didn't, therefore qualifying whose data he will release? I mean there are who knows how many accounts. I assume he got people's data. So, how will he know if somebody deleted it?
I have no idea, it's literally “just trust me, bro”. As he wrote in one of his posts:
Golem Wrote:I gave people the opportunity to delete their memberships. When a membership is deleted, I can confirm this from a few different services.
23andMe says that it can take up to 30 days to have your account deleted.
10-22-2023, 09:07 AM (This post was last modified: 10-22-2023, 09:08 AM by Pylsteen.)
Arrogant person with distorted motives... honestly, he doesn't really think that normal customers will read a "warning message" at a hidden crime forum?
If I understand well, the person has had access to certain profiles through weak passwords (which exists at any platform), and through them was able to scrape information about matches, and shared segments. Question is: was there access to the raw files (you know, the ones with all the letters) of matches, because that is general impossible for anyone except yourself, and that would be a major scandal.
btw can it be that MH hid ethnicity results of matches because of these kind of risks?
Golem Wrote:Was gonna sell this goldmine, but then I saw the fear in the eyes of innocent peeps on social media. Didn't have the heart to do 'em dirty like that, so I pulled the plug on the topic.
Oh, how empathetic this web-criminal is.
I think that deleting the membership will do nothing to protect the accounts.
Golem Wrote:Was gonna sell this goldmine, but then I saw the fear in the eyes of innocent peeps on social media. Didn't have the heart to do 'em dirty like that, so I pulled the plug on the topic.
Oh, how empathetic this web-criminal is.
I think that deleting the membership will do nothing to protect the accounts.
That's my thought. If he has the data, there is little to no way for him to know - out of all the FTDNA samples he supposedly has - all those who deleted and all those who didin't.
(10-22-2023, 09:07 AM)Pylsteen Wrote: Arrogant person with distorted motives... honestly, he doesn't really think that normal customers will read a "warning message" at a hidden crime forum?
If I understand well, the person has had access to certain profiles through weak passwords (which exists at any platform), and through them was able to scrape information about matches, and shared segments. Question is: was there access to the raw files (you know, the ones with all the letters) of matches, because that is general impossible for anyone except yourself, and that would be a major scandal.
btw can it be that MH hid ethnicity results of matches because of these kind of risks?
23andMe claims the attacker obtained information from accessing profiles with weak passwords, but there are many reasons why 23andMe claim is unlikely to be true.
If you read some of the last posts Golem made, he actually posts a vulnerability on the 23andMe website where you could with the API, if you had any 2 profile ids, check their shared segments. This is the same API used for example in the Advanced DNA Comparison tool on their website. The API did not even check if the user requesting it should have permission to see the shared segments. Just with this information alone, it is possible to reconstruct large portions of all our genotypes assuming some % of 23andMe's customers raw data is known.
The most likely reason that 23andMe has disabled us seeing shared relatives / shared segments is most likely because they are finally going to fix this vulnerability even though the attacker claims he told them a long time ago about it. That should tell us how little 23andMe cares about the protection of our data, they do not even fix vulnerabilities until the general public knows about it.
Apparently the entire website is like this, where many of the API calls don't even check if you should have permission to view the data. You just call the API with a known profile id, and it spits out the result. Not sure how he obtained all the profile ids in the first place, but obviously he managed to find them, and use vulnerabilities to get all our data.
Also Golem claims that there are two more vulnerabilities which allowed him to directly obtain our health and raw data. Since he publicly has shown proof that he has every customers name, haplogroup, ethnicity estimate, shared relatives, shared segments with relatives, there is no reason to believe that he cannot have the raw data also.
I can't say with 100% certainty that he has our raw data, but given the apparent flaws in the website's design I say it's not going to be that surprising if it turns out to be the case.
As for MyHeritage, it is possible, but I hope they aren't doing it response to 23andMe's obvious lies about how the attacker got our data. And to be honest, if the vulnerabilities for raw data both exist and are as simple as the vulnerability for shared segments, then there is a chance multiple different attackers, possibly even foreign government agencies, already have our raw data - they just never 'publicly' made an announcement like Golem.
