Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • Alien Nathan Edward
    link
    fedilink
    English
    3311 months ago

    “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,”

    This is a failure to design securely. Breaking into one account via cred stuffing should give you access to one account’s data, but because of their poor design hackers were able to leverage 14,000 compromised accounts into 500x that much data. What that tells me is that, by design, every account on 23andMe has access to the confidential data of many, many other accounts.

    • @assassin_aragorn
      link
      English
      511 months ago

      It’s terrible design. If they know their users are going to do this, they’re supposed to work around that. Not leave it as a vulnerability.

    • @[email protected]
      link
      fedilink
      English
      411 months ago

      I don’t think so. Those users had opted in to share information within a certain group. They’ve already accepted the risk of sharing info with someone who might be untrustworthy.

      Plenty of other systems do the same thing. I can share the list of games on my Steam account with my friends - the fact that a hacker might break into one of their accounts and access my data doesn’t mean that this sharing of information is broken by design.

      If you choose to share your secrets with someone, you accept the risk that they may not protect them as well as you do.

      There may be other reasons to criticise 23andMe’s security, but this isn’t a broken design.

    • FiveMacs
      link
      fedilink
      English
      411 months ago

      And it’s your fault you have access to them. Stop doing bad things and keep your information secure.

      • Alien Nathan Edward
        link
        fedilink
        English
        011 months ago

        you clearly have no familiarity with the principles of information security. 23andMe failed to follow a basic principle: defense in depth. The system should be designed such that compromises are limited in scope and cannot be leveraged into a greater scope. Password breaches are going to happen. They happen every day, on every system on the internet. They happen to weak passwords, reused passwords and strong passwords. They’re so common that if you don’t design your system assuming the occasional user account will be compromised then you’re completely ignoring a threat vector, which is on you as a designer. 23andMe didn’t force 2 factor auth (https://techcrunch.com/2023/11/07/23andme-ancestry-myheritage-two-factor-by-default/) and they made it so every account had access to information beyond what that account could control. These are two design decisions that enabled this attack to succeed, and then escalate.

        • @psud
          link
          English
          711 months ago

          Fiivemacs was joking, speaking in 23&me’s voice. They don’t actually believe it’s the user’s fault.