this post was submitted on 03 Jan 2024
828 points (94.2% liked)

Technology

59398 readers
2765 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
828
23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)
submitted 10 months ago by [email protected] to c/[email protected]
276 comments fedilink hide all child comments
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 219 points 10 months ago (52 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

  1. 23andMe was not hacked or breached.
  2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
  3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
  4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
  5. All compromised accounts did not have MFA enabled.
  6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
  7. No data that wasn't opted into was shared.
  8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

[–] [email protected] 71 points 10 months ago (14 children)

I think most internet users are straight up smooth brained, i have to pull my wife's hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she's just lucky she didn't have the cc attached to it.

And she makes 3 times as much as I do, there is no helping people.

[–] [email protected] 7 points 10 months ago (2 children)

Lately I try to get people to use Chrome's built-it password manager. It's simple and it works across platforms.

[–] [email protected] 21 points 10 months ago (1 children)

I get that people aren’t a fan of Google, and I’m not either, but this is a reasonable option that would be better than what the vast majority of people are doing now…

[–] [email protected] 1 points 10 months ago

That's what I'm getting at. It's an upgrade for most users and certainly novices. I thought I was being cleaver with a password manager and they got hacked twice (you know who).

[–] [email protected] 15 points 10 months ago* (last edited 10 months ago) (1 children)

Bitwarden is simple, works across platforms, is open source, and isn't trusting your data to a company whose *checks notes entire business model is based on sucking up as much data as possible to use for ad-targeting.

I'll trust the company whose business model isn't built on data-harvesting, thanks.

Also, Firefox is better for the health of the web, Google is using Chrome as a backdoor to dictate web standards, yadda yadda.

[–] [email protected] 1 points 10 months ago

You and I can choose our tools as the best for our use case and for the good of the internet in general, but our non-tech friends can't.

I convinced a friend to use KeePass, but he wouldn't spend the time to learn it. I now tell him and others like him to just use Chrome's suggested password.

load more comments (11 replies)
load more comments (48 replies)