Comment on 23andMe tells victims it's their fault that their data was breached | TechCrunch
Hegar@kbin.social 11 months agoYeah, 23AndMe has some culpability here, but the lions share is still in the users themselves
Tell me you didn't read the article without telling me.
If 14,000 users who didn't change a password on a single use website they probably only ever logged into twice gives you 6.9 million user's personal info, that's the company's fault.
JohnEdwa@sopuli.xyz 11 months ago
You didn’t read it either. They gained access to shared information between the accounts.
Logging into someones Facebook and seeing their friends and all the stuff they posted as “friends only” isn’t a hack or a vulnerability, it’s how the website works.
Hegar@kbin.social 11 months ago
Laughing a feature that lets an inevitable attack access 500 other people's info for every competitive account is a glaring security failure.
Accounting for foreseeable risks to users' data is the company's responsibility and they launched a feature that made a massive breach inevitable. It's not the users' fault for opting in to a feature that obviously should never have been launched.
sudneo@lemmy.world 11 months ago
It doesn’t matter. It is a known attack and the company should have implemented measures against it.
At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.
sudneo@lemmy.world 11 months ago
It doesn’t matter. It is a known attack and the company should have implemented measures against it.
At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.