Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • elscallr@lemmy.world
    link
    fedilink
    English
    arrow-up
    48
    arrow-down
    13
    ·
    10 months ago

    Reusing credentials is their fault. Sure, 23&me should’ve done better, but someone was likely to get fucked, and if you’re using the same password everywhere it is objectively your fault. Get a password manager, don’t make the key the same compromised password, and stop being stupid.

    • Hegar@kbin.social
      link
      fedilink
      arrow-up
      32
      arrow-down
      6
      ·
      edit-2
      10 months ago

      It’s at least 99.8% the company’s fault.

      Even if we blame those 14k password reusers, we’re blaming 1 in every 500 victims. Being able to access genetic information and names of 6.9 million people - half your entire customers! - by hacking 0.02% of that is the fault of the company. They structured that access and failed to act on the obvious threat it represents.

      But why blame password reusers? Not every grandparent interested in their family tree is capable of even understanding data security, let alone juggling multiple passwords or a PW manager.

      Credential stuffing is an inevitable part of security landscape - especially for one time use accounts like genetics sites. A multimillion dollar IT department is just clearly responsible for preventing egregious data security failures.

      • Chetzemoka@startrek.website
        link
        fedilink
        English
        arrow-up
        22
        arrow-down
        4
        ·
        10 months ago

        They didn’t get genetic raw data of anyone beyond the 14K, they got family relationship information. Which is an option you can turn on or off, if you want. It’s very clear that you’re exposing yourself to other people if you choose to see who you’re related to. It doesn’t expose raw data and it doesn’t instantly expose names, just how they’re related to you. (And most of the “relations” are 3rd to 5th cousins, aka strangers.)

        Hackers used the genetic ancestry data of the 14K hacked users and their “relatives” connections to deduce large families of Ashkenazi Jews.

        • KᑌᔕᕼIᗩ
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          10 months ago

          Given the sensitivity of the data in both cases they should have had mandatory 2fa set up. However, the other person is right, there’s probably a ton of tech illiterate people using this and they likely saw better security as barriers to entry and making less money.

          • Willy@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            10 months ago

            some people just aren’t that worried about sharing their dna info. Hell, I’d venture I’d give a actual sample to a good % of the population if they asked me in a sexy way.

    • pflanzenregal@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      10 months ago

      I would say it’s partially their fault. IMHO 23&me is mainly to blame. They should’ve enforced (proper) 2FA. Sure, people should’ve known better, but they didn’t; they oftenly don’t. But 23&me did know better.

      Edit: spelling