Comment on 23andMe tells victims it's their fault that their data was breached | TechCrunch
Hegar@kbin.social 10 months agoIt's at least 99.8% the company's fault.
Even if we blame those 14k password reusers, being able to access genetic information and names of 6.9 million people after credential stuffing 0.02% of that is the fault of the company. They structured that access and failed to act on the obvious threat it represents.
But why blame password reusers? Not every grandparent interested in their family tree is capable of even understanding data security, let alone juggling multiple passwords or a PW manager.
Credential stuffing is an inevitable part of security landscape - especially for one time use accounts like genetics sites. A multimillion dollar IT department is just clearly responsible for preventing egregious data security failures.
Chetzemoka@startrek.website 10 months ago
They didn’t get genetic raw data of anyone beyond the 14K, they got family relationship information. Which is an option you can turn on or off, if you want. It’s very clear that you’re exposing yourself to other people if you choose to see who you’re related to. It doesn’t expose raw data and it doesn’t instantly expose names, just how they’re related to you. (And most of the “relations” are 3rd to 5th cousins, aka strangers.)
Hackers used the genetic ancestry data of the 14K hacked users and their “relatives” connections to deduce large families of Ashkenazi Jews.