Laughing a feature that lets an inevitable attack access 500 other people’s info for every comprimised account is a glaring security failure.
Accounting for foreseeable risks to users’ data is the company’s responsibility and they launched a feature that made a massive breach inevitable. It’s not the users’ fault for opting in to a feature that obviously should never have been launched.
Credential stuffing attacks will always yield results on a single use website because no one changes passwords on a site they don’t use anymore.
Launching a feature that enables an inevitable attack to access 500 other people’s info is very clearly the fault of the company who launched the feature.
Name, sex and ancestry were sold on the dark web, that’s a breach of private data.
The feature that lets a hacker see 500 other people’s personal information when they hack an account is obviously a massive security risk. Especially if you run a single use service - no one updates their password on a site they don’t use anymore.
Launching the feature in the first place made this inevitable.
It’s actually the user’s fault. The emails and passwords came from a different breach
No, 23andme is very clearly at fault.
Only 0.02% of those who had their personal info leaked were hacked by a credential stuffing attack.
99.8% of victims were victims because the company launched an obviously unsafe feature that allowed intruders to acces 500 other people’s details for each compromised account.
No one changes the password on sites they don’t use anymore and this is basically a single use service.
Lol that’s probably the Oompah-iest photo of trump I’ve seen.
users knowingly opted into a feature that had a clear privacy risk.
Your aunt who still insists she’s part Cherokee is not as capable of understanding data security risks as the IT department of the multi-million dollar that offered the ludicrously stupid feature in the first place.
People use these sites once right? Who’s changing their password on a site they don’t log into anymore? Given that credential stuffing was inevitable and foreseeable, the feature is obviously a massive risk that shouldn’t have been launched.
Yeah, 23AndMe has some culpability here, but the lions share is still in the users themselves
Tell me you didn’t read the article without telling me.
If 14,000 users who didn’t change a password on a single use website they probably only ever logged into twice gives you 6.9 million user’s personal info, that’s the company’s fault.
What should a website do when you present it with correct credentials?
Not then give you access to half their customers’ personal info?
Credential stuffing 1 grandpa who doesn’t understand data security shouldn’t give me access to names and genetics of 500 other people.
That’s a shocking lack of security for some of the most sensitive personal data that exists.
It’s at least 99.8% the company’s fault.
Even if we blame those 14k password reusers, we’re blaming 1 in every 500 victims. Being able to access genetic information and names of 6.9 million people - half your entire customers! - by hacking 0.02% of that is the fault of the company. They structured that access and failed to act on the obvious threat it represents.
But why blame password reusers? Not every grandparent interested in their family tree is capable of even understanding data security, let alone juggling multiple passwords or a PW manager.
Credential stuffing is an inevitable part of security landscape - especially for one time use accounts like genetics sites. A multimillion dollar IT department is just clearly responsible for preventing egregious data security failures.
I’m honestly asking what the impact to the users is from this breach.
The stolen info was used to databases of people with jewish ancestry that were sold on the dark web. I think there was a list of similar DB of people with chinese ancestry. 23andme’s poor security practices have directly helped violent white supremecists find targets.
If you’re so incompetent that you can’t stop white supremecists from getting identifiable information about people from minorities, there is a compelling public interest for your company to be shut down.
Having power has been shown to reduce your brain’s capacity for empathy. Neurologically, the rich actually are more capable of evil than normal people.
Being murderous and full on genocidal are two different things.
Yep! But committing genocide almost always requires murder so it’s appropriate to use either term when describing countries.
no clue, or sources to back it up
I’m still not sure what you want a source for? That countries commit genocide? I mean the news and also every history book is the source for that. I was born in Australia, we genocided countless indigenous nations. I live in the US, ditto. North and south of me are Canada and Mexico. Ditto. Destroying other peoples has been one of the main reasons to have a state. We have so many monuments from early states glorifying their genocides.
Regurgitating shit… just because you feel like it …isn’t the flex
I’m still not clear what you think it is I’m saying.
To be clear, my point was that as brutal and horrific as Israel’s actions are, it doesn’t make sense to shun every individual citizen of that country.
You often hear people say that all countries are brutal genocidal death machines when they are trying to defend their country? Being a brutal genocidal death machine is not a defense, it’s a damning indictment of how flawed a country is.
I’m not clear on what you wanted a source for. That countries are murderous?
Yeah that works for me but it feels like a shift in position from shun residents of this one country to abolish all countries.
I’m in favor of the latter which for me makes the former seem pointless and arbitrary.
If we’re burning passports and refusing to talk to anyone whose country has committed brutal genocide it’s going to be very lonely and smokey in every country.
the only solid policy position the Republicans have left.
Hey now! I think you’re forgetting their firm and unwavering commitment to resegregation
Peaking in 2000 seems odd - I see or hear that word daily and that definitely wasn’t the case back in 2000. Interesting!
The spoked wheel.
Surely after you rule against Trump you just update the office phone tree: to leave death threats please press 1, all others continuing holding.
Hi! If you’ve used it, there’s something I was curious about - how many people’s names did it show you?
If 50%+ of the 14000 had the feature enabled, it was showing an average of 500-1000 “relatives”. Was that what you saw? What degree of relatedness did they have?
I don’t think that opting in changes a company’s responsibility to not launch a massive, inevitable data security risk, but tbh I’m less interested in discussing who’s to blame than I am in hearing more about your experience using the feature. Thanks in advance!