this post was submitted on 03 Jan 2024

0 points (NaN% liked)

Technology

58937 readers

3427 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)

submitted 9 months ago by Eezyville@sh.itjust.works to c/technology@lemmy.world

12 comments fedilink hide all child comments

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

top 12 comments

sorted by: hot top controversial new old

[–] dpkonofa@lemmy.world 0 points 9 months ago (1 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

23andMe was not hacked or breached.
Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
The attacker took the database dump to the dark web and attempted to sell the leaked info.
Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
All compromised accounts did not have MFA enabled.
Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
No data that wasn't opted into was shared.
23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

[–] Kittenstix@lemmy.world 0 points 9 months ago (1 children)

I think most internet users are straight up smooth brained, i have to pull my wife's hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she's just lucky she didn't have the cc attached to it.

And she makes 3 times as much as I do, there is no helping people.

[–] SnotFlickerman@lemmy.blahaj.zone 0 points 9 months ago* (last edited 9 months ago) (1 children)

These people remind me of my old roommate who "just wanted to live in a neighborhood where you don't have to lock your doors."

We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.

I literally told him you can't fucking will that want into reality, man.

You can't just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.

I eventually moved the fuck out because I can't deal with that kind of hippie dippie bullshit. Life isn't fucking The Secret.

[–] ripcord@lemmy.world 0 points 9 months ago (1 children)

That's a lot of fucking

[–] aksdb@feddit.de 0 points 9 months ago

I would definitely want my door locked for that.

[–] capital@lemmy.world 0 points 9 months ago (1 children)

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

[–] ADTJ@feddit.uk 0 points 9 months ago (1 children)

What should it do? It should ask you to confirm the login with a configured 2FA

[–] capital@lemmy.world 0 points 9 months ago (1 children)

Yeah they offered that. I don’t think anyone with it turned on was compromised.

[–] rainerloeten@lemmy.world 0 points 9 months ago* (last edited 9 months ago) (1 children)

This shouldn't be "offered" IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I've studied in this field, trust me, I know). But the answer isn't to put the responsibility on the user! It is to design products and services which are secure by design.

If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.

[Edit: spelling]

[–] Eezyville@sh.itjust.works 0 points 9 months ago (1 children)

I've noticed that many users in this thread are just angry that the average person doesn't take cybersecurity seriously. Blaming the user for using a weak password. I really don't understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don't really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.

[–] WallEx@feddit.de 0 points 9 months ago

Yeah, even more important to make 2fa mandatory because of this.

[–] MaxPower@feddit.de 0 points 9 months ago

One more reason not to give them my DNA data. I already had like a hundred.