this post was submitted on 07 Jan 2024
205 points (96.0% liked)

Technology

60012 readers
2166 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits::Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 20 points 11 months ago (2 children)

There are some pretty basic things you can do to stop brute force attacks like putting a limit on failed login attempts which 23andme did not have. The issue is that those accounts almost certainly had multiple failed login attempts from places that should have flagged the login.

You ask what a security system is supposed to do when provided with the correct login. That is just the beginning of basic security. If someone consistently logs in from an IP address in one region and then all of a sudden has a couple failed logins from Russia and also one successful one from there, would you say a good security system shouldn't flag that? If a bank allowed your debit card to be used in a country you have never been to before when you seem to have just used it where you normally do, would you be fine with them not freezing your card?

As for MFA, last I checked, they still did not require it. It was recommended but not required.

And let's not forget that they changed the terms of service so you could not sue over shit like this in the future. You had 60 days to reject the new terms of service which you did by sending an email. The email address in the emailed instructions was different than the one in the legal document that was attached.

[–] [email protected] 6 points 11 months ago

My understanding is that the failed logins where properly locked out like you describe. Passwords were leaked from other sites, so it was people reusing passwords that allowed the beach into 23 and me. Sounds like the users' fault to me.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago)

The guy said brute force but meant credential stuffing.

Basically using an army of remote compromised devices to use known user name password combinations. If they used the same email and password that was found on another compromise, then their account would successfully be logged in first try from a unique ip each time.