this post was submitted on 03 Jan 2024
826 points (94.0% liked)

Technology

59995 readers
2532 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 33 points 11 months ago (3 children)

“users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe...Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account's data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

[–] assassin_aragorn 5 points 11 months ago

It's terrible design. If they know their users are going to do this, they're supposed to work around that. Not leave it as a vulnerability.

[–] [email protected] 4 points 11 months ago (1 children)

And it's your fault you have access to them. Stop doing bad things and keep your information secure.

[–] [email protected] 0 points 11 months ago (2 children)

you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They're so common that if you don't design your system assuming the occasional user account will be compromised then you're completely ignoring a threat vector, which is on you as a designer. 23andMe didn't force 2 factor auth (https://techcrunch.com/2023/11/07/23andme-ancestry-myheritage-two-factor-by-default/) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.

[–] psud 7 points 11 months ago (1 children)

Fiivemacs was joking, speaking in 23&me's voice. They don't actually believe it's the user's fault.

[–] [email protected] 1 points 11 months ago

That was very much sarcasm on my part

[–] [email protected] 1 points 11 months ago

Didn't say /s...

[–] [email protected] 4 points 11 months ago

I don't think so. Those users had opted in to share information within a certain group. They've already accepted the risk of sharing info with someone who might be untrustworthy.

Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn't mean that this sharing of information is broken by design.

If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.

There may be other reasons to criticise 23andMe's security, but this isn't a broken design.