• @beckerist
      link
      English
      3610 months ago

      deleted by creator

      • @AA5B
        link
        English
        310 months ago

        access to a ton of information if you were “related” to one another

        This is what I never understood: isn’t that the entire selling point of the service? To share a huge amount of what should be personal data, that you wouldn’t willingly share normally? How do they still exist?

      • @surewhynotlem
        link
        English
        310 months ago

        That’s only after they broke in.

        So to be clear: the attackers logged into people’s accounts, using those people’s passwords that they stole from other sites, and then got access to those people’s data and the data shared with those people.

        I don’t see how any of this is a hack. If you gave me your login and password, then I would be able to do the same thing. Is that hacking?

        • @[email protected]
          link
          fedilink
          English
          610 months ago

          The “unauthorized access” portion is what makes it a hack. It’s not a super technical hack, but it’s a hack.

          • @surewhynotlem
            link
            English
            210 months ago

            Ahhh, I always forget that use of the term. In that case yes.

        • @thedirtyknapkin
          link
          English
          410 months ago

          the heck was when they got the username and password. this is just the extended consequences because people use the same password for everything.

          • @surewhynotlem
            link
            English
            210 months ago

            That is correct. But they didn’t get that from 23andMe. They got the username and password from other sites that were hacked, and the affected users were those that had the same password on 23andme. This is not a 23andMe security issue.

            • @thedirtyknapkin
              link
              English
              210 months ago

              that’s kind of fair, but part of the point is that they didn’t even need to access the accounts of people that were compromised. they just needed to access someone who was related to them to access their genetic info.

      • @CosmicTurtle
        link
        English
        110 months ago

        If the attack was carried out over one IP address, they should have been able to detect it.

        There is no real reason why 7 million different accounts access the site from one location.

        I don’t know how sophisticated the attack was but the future threat is instead of DDOS attacks would be distributed ACCESS attacks where millions of controlled devices attack a site with known credentials to download small bits of information over time. Even better if you can work out ahead of time the account’s general location and then assign devices in the area to access that account.

        • @[email protected]
          link
          fedilink
          English
          110 months ago

          That kind of attack is already a thing; whole it will most likely remain one in the future, it is one in the present as well.

    • JohnEdwa
      link
      fedilink
      English
      14
      edit-2
      10 months ago

      Credential stuffing using botnets spread over months. It would look almost identical to legit login requests.