Talk to us
March 22, 2026 · PII breach

Your genome, brought to you by people who reuse their passwords.

A consumer DNA testing service let attackers walk in through 14,000 reused customer passwords, then walk out with the genetic profiles of 6.9 million people via a feature designed to help you find your cousins.

The 2023 incident at a well-known consumer genetics company was a useful illustration of the principle that breaches are almost never about your security; they’re about the security habits of every person whose credentials touch yours. Attackers had a list of reused logins from earlier breaches at unrelated services. They tried those logins on the genetics service. About 14,000 worked.

That’s not the part of the story most people remember, though. What turned a credential-stuffing attack into a 6.9 million person disclosure was a feature called something cheerful like “DNA Relatives.” Each compromised account was opted into a graph of genetically related users. Every successful login revealed not just one user’s data but the data of every cousin, half-sibling, and great-aunt who had also opted in.

The company spent months explaining that they hadn’t actually been breached. Technically true. Logins had been used. Their systems had behaved exactly as designed. The design happened to leak the genetic information of people who had never reused a password, never had a credential exposed, and never even seen the original logins go through.

It is now common knowledge that consumer-grade authentication isn’t a moat. The 2023 incident also made it common knowledge that consumer-grade features can multiply a small failure into a national-scale one. “Find your cousins” became “find everyone’s cousins” the moment one in five hundred logins was bad.

How Halo would have changed this

Sensitive data shouldn’t share an account with everyone’s old passwords.

Halo isn’t a consumer service, which is part of the point. Sensitive personal data, family records, household communications, and similar high-value content live inside an Eclipse environment that isn’t exposed to the public credential-stuffing internet. Authentication is on your terms, the audit is on your terms, and “the feature your aunt opted into” isn’t a national-scale leak vector.

Source

Krebs on Security’s coverage of the credential-stuffing attack and the relatives-feature amplification.  https://krebsonsecurity.com/

All posts Talk to us