Technology

63200 readers

6553 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

826

23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)

submitted 1 year ago by [email protected] to c/technology

261 comments fedilink hide all child comments

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments

[–] MimicJar 15 points 1 year ago (7 children)

I agree, by all accounts 23andMe didn't do anything wrong, however could they have done more?

For example the 14,000 compromised accounts.

Did they all login from the same location?
Did they all login around the same time?
Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?
Did these accounts, after logging in, perform actions that seemed automated?
Did these accounts access more data than the average user?

In hindsight some of these questions might be easier to answer. It's possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It's also possible they did everything right.

A full investigation makes sense.

[–] [email protected] 5 points 1 year ago (3 children)

Those are my questions, too. It boggles my mind that so many accounts didn’t seem to raise a red flag. Did 23&Me have any sort of suspicious behavior detection?

And how did those breached accounts access that much data without it being observed as an obvious pattern?

[–] douglasg14b 13 points 1 year ago* (last edited 1 year ago) (2 children)

If the accounts were logged into from geographically similar locations at normal volumes then it wouldn't look too out of the ordinary.

The part that would probably look suspicious would be the increase in traffic from data exfiltration. However, that would probably be a low priority alert for most engineering orgs.

Even less likely when you have a bot network that is performing normal logins with limited data exfiltration over the course of multiple months to normalize any sort of monitoring and analytics. Rendering such alerting inert, since the data would appear normal.

Setting up monitoring and analysis for user accounts and where they're logging from and suspicious activity isn't exactly easy. It's so difficult that most companies tend to just defer to large players like Google and Microsoft to do this for them. And even if they had this setup which I imagine they already did it was defeated.

[–] sudneo 3 points 1 year ago

If the accounts were logged into from geographically similar locations at normal volumes then it wouldn’t look too out of the ordinary.

I mean, device fingerprinting is used for this purpose. Then there is the geographic pattern, the IP reputation etc. Any difference -> ask MFA.

It’s so difficult that most companies tend to just defer to large players like Google and Microsoft to do this for them.

Cloudflare, Imperva, Akamai I believe all offer these services. These are some of the players who can help against this type of attack, plus of course in-house tools. If you decide to collect sensitive data, you should also provide appropriate security. If you don't want to pay for services, force MFA at every login.

load more comments (1 replies)

load more comments (4 replies)