Not sure of this specific case, but typical brute force attacks are done locally on the database that was acquired from the breach, not on the site itself. This way lockouts aren’t an issue.
Comment on 23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits
pineapplelover@lemm.ee 5 months agoI’m downvoting you even though I believe the users are negligent and partially to blame here. However, does the site not lock log in attempts after the first 10 login attempts or something? At this point, something so sensitive like ancestry and health information should be mfa required at the bare minimum a phone number 2fa would help a bit.
scytale@lemm.ee 5 months ago
bamboo@lemmy.blahaj.zone 5 months ago
In this case it was a credential stuffing attack against the live login form on the website based on the information released.
SnotFlickerman@lemmy.blahaj.zone 5 months ago
They had accurate credentials. They didn’t hit a login wall because people were re-using their passwords. They hit a login-wall for people who didn’t re-use their passwords. They got accurate credentials from an unrelated hack, from people re-using passwords. How many times does a system “block” you when you have the right username and password?? Zero, I’m pretty fucksure.
I am very confused at what people think computers are supposed to do when given the correct login information? The point of login information is to prove who you are. If you have the correct information, the computer cannot know who is behind the keyboard.
automattable@lemmy.world 5 months ago
I get asked to prove I’m making a legit login attempt all the time because it’s from a new IP address. 23andMe could have implemented something similar, and given the sensitive nature of the data they host and given how we all know that people can’t be trusted to have good password hygiene, I think they should have been required to do so.
IMO this whole thing is just more proof that we need better regulation around how companies treat users’ private information.
SnotFlickerman@lemmy.blahaj.zone 5 months ago
Did you miss the part where our government can’t even pass a budget, but you’re expecting them to pass laws like this?
bamboo@lemmy.blahaj.zone 5 months ago
You can’t spoof your IP address because of the TCP handshake. You could proxy your traffic to appear from coming from a different IP address than from the computers making the requests. This would still be identified as suspicious because the proxy IP address would differ from an IP address a user had logged in from before.
Even if the “hackers” knew every user’s IP address, they would not be able to establish a connection with it appearing from an IP address that didn’t really initiate the traffic.