23andMe Blames Users for Recent Data Breach as It’s Hit With Dozens of Lawsuits::Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

  • /home/pineapplelover
    link
    fedilink
    English
    911 months ago

    I’m downvoting you even though I believe the users are negligent and partially to blame here. However, does the site not lock log in attempts after the first 10 login attempts or something? At this point, something so sensitive like ancestry and health information should be mfa required at the bare minimum a phone number 2fa would help a bit.

    • edric
      link
      fedilink
      English
      411 months ago

      Not sure of this specific case, but typical brute force attacks are done locally on the database that was acquired from the breach, not on the site itself. This way lockouts aren’t an issue.

      • @[email protected]
        link
        fedilink
        English
        611 months ago

        In this case it was a credential stuffing attack against the live login form on the website based on the information released.

    • Snot Flickerman
      link
      fedilink
      English
      0
      edit-2
      11 months ago

      However, does the site not lock log in attempts after the first 10 login attempts or something?

      They had accurate credentials. They didn’t hit a login wall because people were re-using their passwords. They hit a login-wall for people who didn’t re-use their passwords. They got accurate credentials from an unrelated hack, from people re-using passwords. How many times does a system “block” you when you have the right username and password the first time?? Zero, I’m pretty fucksure.

      (Also, it’s usually more like three attempts.)

      I am very confused at what people think computers are supposed to do when given the correct login information? The point of login information is to prove who you are. If you have the correct information, the computer cannot know who is behind the keyboard.

      At this point, something so sensitive like ancestry and health information should be mfa required at the bare minimum a phone number 2fa would help a bit.

      On this point, I agree. 23andMe seems to now as well, considering they just rolled out required MFA for all their users. However, we live in a world basically zero data privacy laws in the US. The US can’t even fucking pass a budget, so good luck waiting on privacy laws. You want that kind of consideration, you gotta move to Europe.

      Like 23andMe, companies don’t really care until something has already happened, since there isn’t legislation forcing them to care.

      Finally, phone 2FA is garbage that can be intercepted. It shouldn’t be used. The fact that it’s still the default means this won’t be the end of data breaches. People need to embrace security keys like YubiKey.

      • @automattable
        link
        English
        911 months ago

        I get asked to prove I’m making a legit login attempt all the time because it’s from a new IP address. 23andMe could have implemented something similar, and given the sensitive nature of the data they host and given how we all know that people can’t be trusted to have good password hygiene, I think they should have been required to do so.

        IMO this whole thing is just more proof that we need better regulation around how companies treat users’ private information.

        • Snot Flickerman
          link
          fedilink
          English
          -4
          edit-2
          11 months ago

          I think they should have been required to do so.

          Did you miss the part where our government can’t even pass a budget, but you’re expecting them to pass laws like this?

          Also, IP spoofing exists and is relatively easy.

          • @[email protected]
            link
            fedilink
            English
            511 months ago

            You can’t spoof your IP address because of the TCP handshake. You could proxy your traffic to appear from coming from a different IP address than from the computers making the requests. This would still be identified as suspicious because the proxy IP address would differ from an IP address a user had logged in from before.

            Even if the “hackers” knew every user’s IP address, they would not be able to establish a connection with it appearing from an IP address that didn’t really initiate the traffic.

      • @[email protected]
        link
        fedilink
        English
        411 months ago

        Perhaps a better question would be to ask why they are allowing 14k separate logins from (what was probably) the same IP address? If you ask any big email provider, they will tell you they immediately shut down any access from that IP due to suspicious behavior, while simultaneously resetting the passwords of all the accounts that appear to be compromised. Typically you should have records of the IPs used for previous logins so it’s fairly simple to compare records having suspicious activity and see if the accounts in question had any previous relationships with each other. And once you have that information on hand you can use it to monitor the compromised accounts for any further login attempts by unknown IPs and then block THOSE addresses as well.

        When you have that many active user accounts, you do not just settle for simply accepting the correct credentials.

        • Snot Flickerman
          link
          fedilink
          English
          011 months ago

          You are aware that IP spoofing exists? It’s not impossible for the hacker to have appeared to have been connecting from many different connections.

          • @[email protected]
            link
            fedilink
            English
            411 months ago

            Yes I am, as I’m sure you are aware that IP spoofing is pretty much only relevant where you are sending outgoing packets (like in a DDoS attack) and do not expect to receive any information back. If you need two-way communication over TCP, spoofing doesn’t work because the returned information naturally gets routed back to the host of the real IP and not to the spoofed address. Obviously these attackers received some information back.