Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wrong question. Correct question: how does 23andMe know any customer used "password123" as a password?


Probably cross referenced their compromised customer account emails with a pastebin of email:pass pairs leaked from another hack.


I don't think this is a smoking gun. Assuming competence, they could have obtained a password dump from another site that stored cleartext passwords, then compared their own database rows with hash(salt(leaked_password)).


It's easy and could be just how other companies with great security practices (like google) can tell you when they find your password in a password dump.

Imagine you are a company with great password practices, how would you tell that a user re-used a password that was exposed in some other data breach without you being able to generally know what a user's password is? Well, of course, it's the same way that you verify their password when they login. You track (or more likely in this case, adhoc check) data breaches, when you find a matched email in the breach with one of your users, you check if the password from the breach would allow that user to login.


I think one fair criticism is they could have had intrusion detection trigger when, presumably, the same IP address was logging in to thousands of accounts. But who knows how sophisticated the attack was?

[edit]: there are other obvious heuristics that could have detected it, it does show they had either very basic or no intrusion detection, which, for a service of this nature, isn't really acceptable




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: