Is it also the User’s fault for the 6898600 that didn’t reuse a password and were still breached?
Comment on 23andMe tells victims it's their fault that their data was breached | TechCrunch
TheEighthDoctor@lemmy.world 8 months ago
And I agree with them, I mean 23andMe should have a brute-force resistant login implementation and 2FA, but you know that when you create an account.
If you are reusing creds you should expect to be compromised pretty easily.
rockSlayer@lemmy.world 8 months ago
pearsaltchocolatebar@discuss.online 8 months ago
Yes, because you have to choose to share that data with other people. 23andMe isn’t responsible if grandma uses the same password for every site.
rockSlayer@lemmy.world 8 months ago
23andMe is responsible for sandboxing that data, however. Which they obviously didn’t do.
stepanzak@iusearchlinux.fyi 8 months ago
User opted-in to share those data
pearsaltchocolatebar@discuss.online 8 months ago
Did you not read my comment? Users opt in to sharing data with other accounts, which means if one account is compromised, then every account that allowed them access would have their data compromised too. That’s not on the company, because they feature can’t work without allowing access.
dpkonofa@lemmy.world 8 months ago
They weren’t breached. The data they willingly shared with the compromised accounts was available to the people that compromised them.
SpaceNoodle@lemmy.world 8 months ago
Pretty sure nobody clicked a button that said “share my data with compromised accounts.”
dpkonofa@lemmy.world 8 months ago
There was a button that said “share my data with this account”. If that person went and shared that info publicly, how is that any different? The accounts accessed with accessed with valid credentials through the normal login process. They weren’t “breached” or “hacked”.
Max_P@lemmy.max-p.me 8 months ago
A successful breach of a family member’s account due to their bad security shouldn’t result in the breach of my account. That’s the problem.
argo_yamato@lemm.ee 8 months ago
Yep it was 14,000 that were hacked, the other 6.9 million were from that DNA relative functionality they have. Unfortunately 23andMe’s response is what to expect since companies will never put their customers safety ahead of their profits.
givesomefucks@lemmy.world 8 months ago
I mean…
You volunteered to share your info with that person.
And that person reused a email/password that was compromised.
How can 23andme prevent that?
It sucks, but it’s the fault of your relative that you entrusted with access to your information.
No different than if you handed them a hardcopy and they left it on the table of McDonald’s
dpkonofa@lemmy.world 8 months ago
I doesn’t. Sharing that info was opt-in only. In this scenario, no 23andMe accounts were breached. The users reused their credentials from other sites. It would be like you sharing your bank account access with a family member’s account and their account getting accessed because their banking password was “Password1” or their PIN was “1234”.
douglasg14b@lemmy.world 8 months ago
So if you enabled a setting that is opt-in only that allows sharing data between accounts and you are surprised that data was shared between accounts how is that not your fault?
TORFdot0@lemmy.world 8 months ago
You shouldn’t have shared your information with someone who is untrustworthy then. Data sharing is opt-in.
Hegar@kbin.social 8 months ago
Credential stuffing attacks will always yield results on a single use website because no one changes passwords on a site they don't use anymore.
Launching a feature that enables an inevitable attack to access 500 other people's info is very clearly the fault of the company who launched the feature.
eager_eagle@lemmy.world 8 months ago
afaik there was no breach of private data, only the kind of data shared to find relatives, which is opt-in and obviously not private to anyone who has seen how this service works. In other words, the only data “leaked” was the kind of data that was already shared with other 23andMe users.
Hegar@kbin.social 8 months ago
Name, sex and ancestry were sold on the dark web, that's a breach of private data.
The feature that lets a hacker see 500 other people's personal information when they hack an account is obviously a massive security risk. Especially if you run a single use service - no one updates their password on a site they don't use anymore.
Launching the feature in the first place made this inevitable.
eager_eagle@lemmy.world 8 months ago
it would be a breach if the data was private, but the feature itself exposes this data.
capital@lemmy.world 8 months ago
How do you and the surprising number of people who upvoted you want options on websites to work?
These people opted into information sharing.
When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?
Wtf?
AbouBenAdhem@lemmy.world 8 months ago
Even if you didn’t use a compromised password yourself, the fact that your relatives did indicates that you’re genetically predisposed to bad security practices. /s
jimbo@lemmy.world 8 months ago
How the hell would they prevent that if you voluntarily shared a bunch of information with the breach account? This is like being mad that your buddy’s Facebook account got breached and someone downloaded shared posts from your profile, too. It’s how the fucking service works.