when relevant content is
added and updated.
when relevant content is
added and updated.
A DNA testing database was apparently hacked sometime last fall, but it wasn’t nearly as interesting as it could have been.
It wasn’t one of the more well-known sites like 23andme or ancestry.com. It also wasn’t the GEDmatch site that law enforcement used to track down the so-called “Golden State Killer”a few months back. It was a site called MyHeritage.com with about 92 million users, though it isn’t clear how many of them had actually submitted DNA.
Moreover, none of the DNA information appeared to have been stolen. In fact, it was a pretty run-of-the-mill incident, for these days; a file called MyHeritage was reportedly found on a third-party server that had a list of 92 million email addresses, followed by their hashed, or encoded, passwords. Since the passwords were hashed, there’s not likely going to be a way for anyone to reverse-engineer them to the actual passwords. And the company said that no financial information was involved, either.
“Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage,” the company wrote in a blog post about the incident. “Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.”
So what we actually have stolen here is a list of 92 million email addresses – basically, all the system’s users up until October 26, 2017. And sure, someone could have fun with that, looking to see how many of them have “password” as their password, or how many of them reused a password from a different system that hackers might know, and so on.
But generally, as these things go, this was pretty ho-hum, because the company did what it was supposed to. It encrypted its passwords. It stored its financial information separately. It stored its genetic information separately. As a number of security experts have been saying, it’s less an issue of hardening your system so that you *never* get broken into, because sometime, it’s likely going to happen. Instead, it’s an issue of how to limit the damage once someone breaks in.
Because there’s lots of interesting things that could have been done with stolen DNA:
- Plant it somewhere to incriminate someone, ranging from a crime to blackmail, or to protect a criminal by having multiple people’s DNA at a crime scene
- Use it to get medical treatment
- Use it to reveal someone’s dirty laundry, such as being illegitimate or unable to get health insurance due to a genetic condition
- Use it to protect against being called out for a genetic condition, much the way people will buy clean urine to pass a drug test
- Heck, they could have started cloning people, or breeding people
That said, it may just be a matter of time before one of these DNA storage places is hacked – with actual DNA. As you may recall, researchers are looking into storing data on DNA. Apparently there is also research going on into how you could store malware on DNA, and then submit that DNA to a DNA storage service, where it would “come to life” and start stealing data. “The researchers were even able to encode a strand of synthetic DNA to contain malware, allowing them to take remote control of a computer being used to sequence and process genetic data,” writes Usha Lee McFarling in STAT.
Meanwhile, the company is doing all the appropriate things. It’s not only recommending that people change their passwords; it’s forcing everyone to do so (though it isn’t clear whether they could just put in the same password they’d used before). They also set up a round-the-clock security team to answer user questions. They are working on setting up two-factor authentication (and yes, they should have done that in the first place), but it sounds like they aren’t going to require it, but only “recommend” it. It is also looking into how the data got stolen in the first place, and why it didn’t detect that at the time.
But it could have been so much more interesting.