So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?
Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.
Comment on 23andMe tells victims it's their fault that their data was breached | TechCrunch
capital@lemmy.world 8 months ago
The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers
Turns out, it is.
What should a website do when you present it with correct credentials?
KairuByte@lemmy.dbzer0.com 8 months ago
capital@lemmy.world 8 months ago
Please excuse the rehash from another of my comments:
How do you people want options on websites to work?
These people opted into information sharing.
When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?
KairuByte@lemmy.dbzer0.com 8 months ago
I admit, I’ve not used the site so I don’t know the answers to the questions I would need, in order to properly respond:
- Were these opt-in or opt-out?
- Were the risks made clear?
- Were the options fine tuned enough that you could share some info, but not all?
From the sounds of it, I doubt enough was done by the company to ensure people were aware of the risks. Because so many people were shocked by what was able to be skimmed.
capital@lemmy.world 8 months ago
I’m convinced that everyone pissed at the company for users reusing passwords has a reading comprehension problem because I definitely already answered your first question in the comment you responded to.
I haven’t used the service either - I don’t want more of my data out there. So I can’t answer the other questions.
Users were probably not thinking about the implications of a breach after sharing but it stands to reason that if you share data with an account, and that account gets compromised, your data is compromised.
We’ve all been through several of those from actual hacks at other companies (looking at you, T-Mobile). I refuse to believe people aren’t aware of this general issue by now.
platypus_plumba@lemmy.world 8 months ago
It was credential stuffing. Basically these people were hacked in other services. Those services probably told them “Hey, you need to change your password because our database was hacked” and then they were like “meh, I’ll keep using this password and won’t update my other services that this password and personally identifiable information about myself and my relatives”
ADTJ@feddit.uk 8 months ago
What should it do? It should ask you to confirm the login with a configured 2FA
capital@lemmy.world 8 months ago
Yeah they offered that. I don’t think anyone with it turned on was compromised.
rainerloeten@lemmy.world 8 months ago
This shouldn’t be “offered” IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I’ve studied in this field, trust me, I know). But the answer isn’t to out the responsibility on the user! It is to design products and services which are secure by design.
If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.
Eezyville@sh.itjust.works 8 months ago
I’ve noticed that many users in this thread are just angry that the average person doesn’t take cybersecurity seriously. Blaming the user for using a weak password. I really don’t understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don’t really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.
capital@lemmy.world 8 months ago
Fuck mandatory 2FA. Most sites just throw SMS on there and leave it at that. I’m so tired of putting yet more of my information into services that don’t require it.
If TOTP was more prevalent (getting there) I might agree but then we’d be talking about how the typical user doesn’t know how to set that up.
kattenluik@feddit.nl 8 months ago
2FA should be forced, it’s not a hard thing to do.
postmateDumbass@lemmy.world 8 months ago
To badbiometric data couldnt be used…
jimbo@lemmy.world 8 months ago
by brute-forcing accounts with passwords that were known
That’s not what “brute force” means.
capital@lemmy.world 8 months ago
Agreed.
Hegar@kbin.social 8 months ago
Not then give you access to names and genetics of half their customers?
Credential stuffing 1 grandpa who doesn't understand data security shouldn't give me access to names and genetics of 500 other people.
That's a shocking lack of security for some of the most sensitive personal data that exists.
capital@lemmy.world 8 months ago
You either didn’t read or just really need this to be the company’s fault.
Those initial breaches lead to more info being leaked because users chose to share data with those breached users before their accounts were compromised.
When you change a setting on a website do you want to have to keep setting it back to what you want or do you want it to stay the first time you set it?
jimbo@lemmy.world 8 months ago
That’s a feature of the service that you opt into when you’re setting up your account. You’re not required to share anything with anyone, but a lot of people choose too. I actually was able to connect with a half-sibling that I knew I had, but didn’t know how to contact, via that system.
psud@lemmy.world 8 months ago
jimbo@lemmy.world 8 months ago
Nobody “needs” it, lol. People do it because it’s interesting to them.
Why does Facebook need to show you other people’s profiles? Why does Lemmy show me your profile and posts? It’s how the services work, and people choose to use them because they work that way.
Hegar@kbin.social 8 months ago
Hi! If you've used it, there's something I was curious about - how many people's names did it show you?
If 50%+ of the 14000 had the feature enabled, it was showing an average of 500-1000 "relatives". Was that what you saw? What degree of relatedness did they have?
I don't think that opting in changes a company's responsibility to not launch a massive, inevitable data security risk, but tbh I'm less interested in discussing who's to blame than I am in hearing more about your experience using the feature. Thanks in advance!
jimbo@lemmy.world 8 months ago
This list shows 1500 people for me. I assume that’s just some arbitrary limit to the number of results. There’s significantly overlap in the relationship lists, so the number of relatives is less than the (140000.51500) that that math might indicate.