Comment

Comment on 23andMe tells victims it's their fault that their data was breached | TechCrunch

I’m seeing so much FUD and misinformation being spread about this that I wonder what’s the motivation behind the stories reporting this. These are as close to the facts as I can state from what I’ve read about the situation:

23andMe was not hacked or breached.
Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
The attacker took the database dump to the dark web and attempted to sell the leaked info.
Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
All compromised accounts did not have MFA enabled.
Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
No data that wasn’t opted into was shared.
23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don’t see how it’s their fault that users reused their passwords from other sites and didn’t turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn’t suddenly make them culpable for users’ poor security practices.

source

Sort:hotnew top

Kittenstix@lemmy.world ⁨5⁩ ⁨months⁩ ago
I think most internet users are straight up smooth brained, i have to pull my wife’s hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she’s just lucky she didn’t have the cc attached to it.

And she makes 3 times as much as I do, there is no helping people.

source
- SnotFlickerman@lemmy.blahaj.zone ⁨5⁩ ⁨months⁩ ago
  These people remind me of my old roommate who “just wanted to live in a neighborhood where you don’t have to lock your doors.”
  
  We lived kind of in the fucking woods outside of town, and some of our nearest neighbors had a fucking meth lab on their property.
  
  I literally told him you can’t fucking will that want into reality, man.
  
  You can’t just choose to leave your doors unlocked hoping that this will turn out to be that neighborhood.
  
  I eventually moved the fuck out because I can’t deal with that kind of hippie dippie bullshit. Life isn’t The Secret.
  
  source
  - c0mbatbag3l@lemmy.world ⁨5⁩ ⁨months⁩ ago
    I have friends that occasionally bitch about the way things are but refuse to engage with whatever systems are set up to help solve whatever given problem they have. “it shouldn’t be like that! It should work like X”
    
    Well, it doesn’t. We can try to change things for the better but refusal to engage with the current system isn’t an excuse for why your life is shit.
    
    source
    SnotFlickerman@lemmy.blahaj.zone ⁨5⁩ ⁨months⁩ ago
    The bootlickers really come out of the woodwork here to suck on corporate boot.
    
    source
    -> View More Comments
  - ripcord@lemmy.world ⁨5⁩ ⁨months⁩ ago
    That’s a lot of fucking
    
    source
    aksdb@feddit.de ⁨5⁩ ⁨months⁩ ago
    I would definitely want my door locked for that.
    
    source
- Ibex0@lemmy.world ⁨5⁩ ⁨months⁩ ago
  Lately I try to get people to use Chrome’s built-it password manager. It’s simple and it works across platforms.
  
  source
  - Chobbes@lemmy.world ⁨5⁩ ⁨months⁩ ago
    I get that people aren’t a fan of Google, and I’m not either, but this is a reasonable option that would be better than what the vast majority of people are doing now…
    
    source
    Ibex0@lemmy.world ⁨5⁩ ⁨months⁩ ago
    That’s what I’m getting at. It’s an upgrade for most users and certainly novices. I thought I was being cleaver with a password manager and they got hacked twice (you know who).
    
    source
  - SnotFlickerman@lemmy.blahaj.zone ⁨5⁩ ⁨months⁩ ago
    Bitwarden is simple, works across platforms, is open source, and isn’t trusting your data to a company who *checks notes entire business model is based on sucking up as much data as possible to use for ad-targeting.
    
    I’ll trust the company whose business model isn’t built on data-harvesting, thanks.
    
    source
    psud@lemmy.world ⁨5⁩ ⁨months⁩ ago
    You and I can choose our tools as the best for our use case and for the good of the internet in general, but our non-tech friends can’t.
    
    I convinced a friend to use KeePass, but he wouldn’t spend the time to learn it. I now tell him and others like him to just use Chrome’s suggested password.
    
    source
- kautau@lemmy.world ⁨5⁩ ⁨months⁩ ago
  
  ~~internet users~~
  
  people
  
  source
MimicJar@lemmy.world ⁨5⁩ ⁨months⁩ ago
I agree, by all accounts 23andMe didn’t do anything wrong, however could they have done more?

For example the 14,000 compromised accounts.

Did they all login from the same location?

Did they all login around the same time?

Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?

Did these accounts, after logging in, perform actions that seemed automated?

Did these accounts access more data than the average user?

In hindsight some of these questions might be easier to answer. It’s possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It’s also possible they did everything right.

A full investigation makes sense.
source
- dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
  I already said they could have done more. They could have forced MFA.
  
  All the other bullet points were already addressed: they used a botnet that, combined with the “last login location” allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.
  
  A full investigation makes sense but the OP is about 23andMe’s statement that the crux is users reusing passwords and not enabling MFA and they’re right about that. They could have done more but, even then, there’s no guarantee that someone with the right username/password combo could be detected.
  
  source
  - EssentialCoffee@midwest.social ⁨5⁩ ⁨months⁩ ago
    I’m not sure how much MFA would have mattered in this case.
    
    23andme login is an email address. Most MFAs seem to use email as an option these days. If they’re already reusing passwords, the bad actor already has a password to use for their emails that’s likely going to work for the accounts that were affected. Would it have brought it down? Sure, but doesn’t seem like it would’ve been the silver bullet that everyone thinks it is.
    
    source
    dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
    It’s a big enough detractor to make it cumbersome. It’s not that easy to automate pulling an MFA code from an email when there are different providers involved and all that. The people that pulled this off pulled it off via a botnet and I would be very surprised if that botnet was able to recognize an MFA login and also login, get the code, enter it, and then proceed. It seems like more effort than it’s worth at that point.
    
    source
- Monument@lemmy.sdf.org ⁨5⁩ ⁨months⁩ ago
  Those are my questions, too. It boggles my mind that so many accounts didn’t seem to raise a red flag. Did 23&Me have any sort of suspicious behavior detection?
  
  And how did those breached accounts access that much data without it being observed as an obvious pattern?
  
  source
  - douglasg14b@lemmy.world ⁨5⁩ ⁨months⁩ ago
    If the accounts were logged into from geographically similar locations at normal volumes then it wouldn’t look too out of the ordinary.
    
    The part that would probably look suspicious would be the increase in traffic from data exfiltration. However, that would probably be a low priority alert for most engineering orgs.
    
    source
    sudneo@lemmy.world ⁨5⁩ ⁨months⁩ ago
    
    If the accounts were logged into from geographically similar locations at normal volumes then it wouldn’t look too out of the ordinary.
    
    I mean, device fingerprinting is used for this purpose. Then there is the geographic pattern, the IP reputation etc. Any difference -> ask MFA.
    
    It’s so difficult that most companies tend to just defer to large players like Google and Microsoft to do this for them.
    
    Cloudflare, Imperva, Akamai I believe all offer these services. These are some of the players who can help against this type of attack, plus of course in-house tools. If you decide to collect sensitive data, you should also provide appropriate security. If you don’t want to pay for services, force MFA at every login.
    
    source
sudneo@lemmy.world ⁨5⁩ ⁨months⁩ ago
Credential stuffing is an attack which is well known and that organizations like 23andme definitely should have in their threat model. There are mitigations, such as preventing compromised credentials to be used at registration, protecting from bots (as imperfect as it is), enforcing MFA etc.

This is their breach indeed.

source
- dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
  They did. They had MFA available and these users chose not to enable it. Every 23andMe account is prompted to set up MFA when they start. If people chose not to enable it and then someone gets access to their username and password, that is not 23andMe’s fault.
  
  source
  - sudneo@lemmy.world ⁨5⁩ ⁨months⁩ ago
    The fact that they did not enforce 2fa on everyone (mandatory, not just having the feature enabled) is their responsibility. You are handling super sensitive data, credential stuffing is an attack with a super low level of complexity and high likelihood.
    
    Similarly, they probably did not enforce complexity requirements on passwords (making an educated guess vere), or at least not sufficiently, which is also their fault.
    
    Regarding the last bit, it might noto have helped against this specific breach, but we don’t know that. There are companies who offer threat intelligence services and buy data breached specifically to offer this service.
    
    Anyway, in general the point I want to make is simple: if your only defense you have against a known attack like this is a user who chooses a strong and unique password, you don’t have sufficient controls.
    
    source
    dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
    I guess we just have different ideas of responsibility. It was 23andMe’s responsibility to offer MFA, and they did. It was the user’s responsibility to choose secure passwords and enable MFA and they didn’t.
    
    source
    -> View More Comments
  - lightnsfw@reddthat.com ⁨5⁩ ⁨months⁩ ago
    There are services that check provided credentials against a dictionary of compromised ones and reject them. Off the top of my head Microsoft Azure does this and so does Nextcloud.
    
    source
    dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
    This assumes that the compromised credentials were made public prior to the exfiltration. In this case, it wasn’t as the data was being sold privately on the dark web. HIBP, Azure, and Nextcloud would have done nothing to prevent this.
    
    source
    -> View More Comments
- serial_crusher@lemmy.basedcount.com ⁨5⁩ ⁨months⁩ ago
  Is there a standards body web developers should rely on, which suggests requiring MFA for every account? OWASP, for example, only recommends requiring it for administrative users, but for giving regular users the option without requiring it.
  
  There’s some positives to requiring MFA for all users, but like any decision there’s trade offs. How can we throw 23andme under the bus when they were compliant with industry best practices?
  
  source
  - sudneo@lemmy.world ⁨5⁩ ⁨months⁩ ago
    I don’t think it’s possible to make a blanket statement in this sense. For example, Lemmy doesn’t handle as sensitive data as 23andMe. In this case, it might be totally acceptable to have the feature, but not requiring it. Banks (at least in Europe) never let you login with just username and password. The definitely comply with different standards and in general, it is well understood that the sensitivity of the data (and actions) needs to be reflected into more severe controls against attacks which are relevant.
    
    For a company with so sensitive data (such as 23andMe), their security model should have definitely included credential stuffing attacks, and therefore they should have implemented the measures that are recommended against this attack. Quoting from OWASP:
    
    Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including credential stuffing and password spraying, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises. As such, it should be implemented wherever possible; however, depending on the audience of the application, it may not be practical or feasible to enforce the use of MFA.
    
    In other words, unless 23andMe had specific reasons not to implement such control, they should have. If they simply chose to do so (because security is an afterthought, because that would have meant losing a few customers, etc.), it’s their fault for not building a security posture appropriate for the risk they are subject to, and therefore they are responsible for it.
    
    Obviously not every service should be worried about credential stuffing, therefore OWASP can’t say “every account needs to have MFA”. It is the responsibility of each organization (and their security department) to do the job of identifying the threats they are exposed to.
    
    source
helenslunch@feddit.nl ⁨5⁩ ⁨months⁩ ago
I actually saw someone on FB complaining that they were being forced to enable 2FA on FB.

source
- OfficerBribe@lemm.ee ⁨5⁩ ⁨months⁩ ago
  Common thing, a lot of people despise MFA. I somewhat recently talked with 1 person who works in IT (programmer) that has not set up MFA for their personal mail account.
  
  source
  - helenslunch@feddit.nl ⁨5⁩ ⁨months⁩ ago
    How awful it is to have a secure account
    
    source
ChrisLicht@lemm.ee ⁨5⁩ ⁨months⁩ ago
Would bet that you’re a crypto fan.

source
- dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
  How much we talking? I’ll take that bet.
  
  source
- dream_weasel@sh.itjust.works ⁨5⁩ ⁨months⁩ ago
  Would bet your password includes “password” or something anyone could guess in 10 minutes after viewing your Facebook account.
  
  source
- girlfiend@lemmynsfw.com ⁨5⁩ ⁨months⁩ ago
  Why?
  
  source
NoIWontPickaName@kbin.social ⁨5⁩ ⁨months⁩ ago
Step 4 is where 23andme got hacked

source
- capital@lemmy.world ⁨5⁩ ⁨months⁩ ago
  By your logic I hack into every site I use by … checks notes presenting the correct username and password.
  
  source
  - NoIWontPickaName@kbin.social ⁨5⁩ ⁨months⁩ ago
    It’s called social hacking,
    
    source
Yearly1845@reddthat.com ⁨5⁩ ⁨months⁩ ago
No excuse for not making MFA mandatory. The tech has been out for a decade. Greed and laziness is the only reason we don’t all have Fido keys OR AT LEAST TOTP on every website.

source
- dpkonofa@lemmy.world ⁨5⁩ ⁨months⁩ ago
  Laziness alone is a pretty big reason. MFA was available and users were prompted to set it up. The fact that they didn’t should tell you something.
  
  source
  - Yearly1845@reddthat.com ⁨5⁩ ⁨months⁩ ago
    
    mandatory
    
    source