There are some pretty basic things you can do to stop brute force attacks like putting a limit on failed login attempts which 23andme did not have. The issue is that those accounts almost certainly had multiple failed login attempts from places that should have flagged the login.
You ask what a security system is supposed to do when provided with the correct login. That is just the beginning of basic security. If someone consistently logs in from an IP address in one region and then all of a sudden has a couple failed logins from Russia and also one successful one from there, would you say a good security system shouldn’t flag that? If a bank allowed your debit card to be used in a country you have never been to before when you seem to have just used it where you normally do, would you be fine with them not freezing your card?
As for MFA, last I checked, they still did not require it. It was recommended but not required.
And let’s not forget that they changed the terms of service so you could not sue over shit like this in the future. You had 60 days to reject the new terms of service which you did by sending an email. The email address in the emailed instructions was different than the one in the legal document that was attached.
bamboo@lemmy.blahaj.zone 5 months ago
The real issue was the DNA Relatives feature, which allowed information to be shared with other users in the platform. From this TechCrunch article
There are 6.9 million people who could have been using 2FA and unique passwords, and their personal information was scrapped just because of 14k accounts which were reusing passwords.
eager_eagle@lemmy.world 5 months ago
This data of 6.9M users was not private anyways, it’s really not a leak.
bamboo@lemmy.blahaj.zone 5 months ago
Agreed, although name and nationality isn’t really private information to begin with. Just based on the numbers, it seems like it was sharing the information too broadly, probably to 4th cousins twice removed. When users opted in to this feature, the intent was for distant relatives to be able to connect, not to show up on a list of Eastern European Jews to be shared on 4chan.
surewhynotlem@lemmy.world 5 months ago
If I give my credit card to my sister, and she drops it, that’s not MasterCard’s fault. If they were very concerned, they should’ve made sure their relatives were trustworthy.
SnotFlickerman@lemmy.blahaj.zone 5 months ago
A better example might be the keys to your house and a note out on the counter with a label that says “surewhynotlem’s house key.”
An intruder finds the key, and now has information on where the key can be used. When your house is robbed, it’s the locksmith who is to blame.
key@lemmy.keychat.org 5 months ago
I’d say it’s more like you gave your mom your SSN (or similar private information) because she said she needed it for her will or something. When you gave it to her she mumbled she’d share it with your sister too. You weren’t really paying attention and just went “yuh huh” when you probably should have told her not to. Your sister uses one key for everything and a burglar got a copy of that key from an earlier burglarly. The burglar eventually used the key to rob her and took your SSN, which he’s now selling to identity thieves.
Mom=23andme
Sister=relative
“yuh huh”=not reading the fine print and disabling “DNA Relatives” sharing feature
SnotFlickerman@lemmy.blahaj.zone 5 months ago
DNA Relatives was an opt-in program, so you had to choose to share your data. To their knowledge, they were data-sharing with their relatives.
Once again, what is a system supposed to do when given the correct login credentials?