this post was submitted on 03 Jan 2024
826 points (94.0% liked)

Technology

59452 readers
3830 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] douglasg14b 43 points 10 months ago (7 children)

OP spreading disinformation.

Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.

Users cry about the consequences of their bad passwords.

Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves

[–] [email protected] 19 points 10 months ago (1 children)

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature.

How exactly are these 6.9M users at fault? They opted in to a feature of the platform that had nothing to do with their passwords.

On top of that, the company should have enforced strong passwords and forced 2FA for all accounts. What they're doing is victim blaming.

[–] Falcon 5 points 10 months ago* (last edited 10 months ago) (2 children)

users knowingly opted into a feature that had a clear privacy risk.

Strong passwords often aren't at issue, password re-use is. If un-{salted, hashed} passwords were compromised in a previous breach, then it doesn’t matter how strong those passwords are.

Every user who was compromised:

  1. Put their DNA profile online
  2. Opted to share their information in some way

A further subset of users failed to use a unique and strong password.

A 2FA token (think Matrix) might have helped here, other than that, individuals need to take a greater responsibility for personal privacy. This isn’t an essential service like water, banking, electricity etc. This is a place to upload your DNA profile…

[–] sudneo 0 points 10 months ago

As I said elsewhere, the company implemented this feature and apparently did not do absolutely jack about the increased risk of account compromise deriving from it. If I would sit in a meeting discussing this feature I would immediately say that accounts which share data with others are way too sensitive and at least these should have 2fa enforced. If you don't want it, you don't share data. Probably the company does not have a good security culture and this was not done.

[–] [email protected] -3 points 10 months ago* (last edited 10 months ago)

users knowingly opted into a feature that had a clear privacy risk.

Your aunt who still insists she's part Cherokee is not as capable of understanding data security risks as the IT department of the multi-million dollar that offered the ludicrously stupid feature in the first place.

People use these sites once right? Who's changing their password on a site they don't log into anymore? Given that credential stuffing was inevitable and foreseeable, the feature is obviously a massive risk that shouldn't have been launched.

[–] AdamEatsAss 18 points 10 months ago* (last edited 10 months ago)

Are you telling me a password of 23AndMe! Is bad? It meets all the requirements.

[–] CosmicCleric 6 points 10 months ago (1 children)

Users used bad passwords. Their accounts where accessed using their legitimate, bad, passwords.

Just as an anecdotal counterpoint, I am a 23andMe customer who did receive notification of my account was accessed and personal information obtained.

This was my password at the time: 7Kk5bXjIdfB25

That password was auto-generated for me by the BitWarden app.

So for what it's worth I don't think my password was a 'bad' password.

[–] [email protected] 6 points 10 months ago

Your direct account was accessed or some of your information was access through a compromised account? those are big differences and from what I've read only the latter should have been possible. and in my opinion, not such a big deal.

[–] [email protected] 5 points 10 months ago (1 children)

How am I spreading disinformation? I just contributed an article I found interesting for discussion.

[–] Falcon 6 points 10 months ago (1 children)

It’s worth noting that OP simply used the article title.

The article title is a little biased, individuals must take greater personal responsibility.

[–] [email protected] 1 points 10 months ago (1 children)

I don't know title etiquette in this forum. I used the author's title because it is their article, not mine, and thus their opinion/research/AI output.

[–] Falcon 2 points 10 months ago

Oh no, I was just pointing it out for others. I think using the title post is perfectly reasonable.

Thank you for posting, I found it interesting.

[–] rainerloeten 2 points 10 months ago

The lions share IMHO is at 23&me. Offering such a poorly secured service is negligence, in the face of the data's high sensitivity nature.

[–] [email protected] 0 points 10 months ago (1 children)

Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves

Tell me you didn't read the article without telling me.

If 14,000 users who didn't change a password on a single use website they probably only ever logged into twice gives you 6.9 million user's personal info, that's the company's fault.

[–] [email protected] 5 points 10 months ago* (last edited 10 months ago) (3 children)

You didn't read it either. They gained access to shared information between the accounts because both accounts had enabled "share my info with my relatives" option.

Logging into someones Facebook and seeing their friends and all the stuff they posted as "friends only" and their private DM discussions isn't a hack or a vulnerability, it's how the website works.

[–] sudneo 1 points 10 months ago

It doesn't matter. It is a known attack and the company should have implemented measures against it.

At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.

[–] [email protected] 0 points 10 months ago* (last edited 10 months ago)

Laughing a feature that lets an inevitable attack access 500 other people's info for every comprimised account is a glaring security failure.

Accounting for foreseeable risks to users' data is the company's responsibility and they launched a feature that made a massive breach inevitable. It's not the users' fault for opting in to a feature that obviously should never have been launched.

[–] sudneo 0 points 10 months ago

It doesn't matter. It is a known attack and the company should have implemented measures against it.

At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.