Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • Zoolander@lemmy.world
    link
    fedilink
    English
    arrow-up
    172
    arrow-down
    20
    ·
    11 months ago

    I’m seeing so much FUD and misinformation being spread about this that I wonder what’s the motivation behind the stories reporting this. These are as close to the facts as I can state from what I’ve read about the situation:

    1. 23andMe was not hacked or breached.
    2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
    3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
    4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
    5. All compromised accounts did not have MFA enabled.
    6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
    7. No data that wasn’t opted into was shared.
    8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

    I agree with 23andMe. I don’t see how it’s their fault that users reused their passwords from other sites and didn’t turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn’t suddenly make them culpable for users’ poor security practices.

    • Kittenstix@lemmy.world
      link
      fedilink
      English
      arrow-up
      55
      arrow-down
      10
      ·
      11 months ago

      I think most internet users are straight up smooth brained, i have to pull my wife’s hair to get her to not use my first name twice and the year we were married as a password and even then I only succeed 30% of the time, and she had the nerve to bitch and moan when her Walmart account got hacked, she’s just lucky she didn’t have the cc attached to it.

      And she makes 3 times as much as I do, there is no helping people.

      • Ibex0@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        3
        ·
        11 months ago

        Lately I try to get people to use Chrome’s built-it password manager. It’s simple and it works across platforms.

        • Chobbes@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          ·
          11 months ago

          I get that people aren’t a fan of Google, and I’m not either, but this is a reasonable option that would be better than what the vast majority of people are doing now…

          • Ibex0@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            That’s what I’m getting at. It’s an upgrade for most users and certainly novices. I thought I was being cleaver with a password manager and they got hacked twice (you know who).

    • MimicJar@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      6
      ·
      11 months ago

      I agree, by all accounts 23andMe didn’t do anything wrong, however could they have done more?

      For example the 14,000 compromised accounts.

      • Did they all login from the same location?
      • Did they all login around the same time?
      • Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?
      • Did these accounts, after logging in, perform actions that seemed automated?
      • Did these accounts access more data than the average user?

      In hindsight some of these questions might be easier to answer. It’s possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It’s also possible they did everything right.

      A full investigation makes sense.

      • Zoolander@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        2
        ·
        11 months ago

        I already said they could have done more. They could have forced MFA.

        All the other bullet points were already addressed: they used a botnet that, combined with the “last login location” allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.

        A full investigation makes sense but the OP is about 23andMe’s statement that the crux is users reusing passwords and not enabling MFA and they’re right about that. They could have done more but, even then, there’s no guarantee that someone with the right username/password combo could be detected.

    • sudneo@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      9
      ·
      11 months ago

      Credential stuffing is an attack which is well known and that organizations like 23andme definitely should have in their threat model. There are mitigations, such as preventing compromised credentials to be used at registration, protecting from bots (as imperfect as it is), enforcing MFA etc.

      This is their breach indeed.

      • Zoolander@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        8
        ·
        edit-2
        11 months ago

        They did. They had MFA available and these users chose not to enable it. Every 23andMe account is prompted to set up MFA when they start. If people chose not to enable it and then someone gets access to their username and password, that is not 23andMe’s fault.

        Also, how do you go about “preventing compromised credentials” if you don’t know that the credentials are compromised ahead of time? The dataset in question was never publicly shared. It was being sold privately.

        • sudneo@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          4
          ·
          11 months ago

          The fact that they did not enforce 2fa on everyone (mandatory, not just having the feature enabled) is their responsibility. You are handling super sensitive data, credential stuffing is an attack with a super low level of complexity and high likelihood.

          Similarly, they probably did not enforce complexity requirements on passwords (making an educated guess vere), or at least not sufficiently, which is also their fault.

          Regarding the last bit, it might noto have helped against this specific breach, but we don’t know that. There are companies who offer threat intelligence services and buy data breached specifically to offer this service.

          Anyway, in general the point I want to make is simple: if your only defense you have against a known attack like this is a user who chooses a strong and unique password, you don’t have sufficient controls.

          • Zoolander@lemmy.world
            link
            fedilink
            English
            arrow-up
            12
            arrow-down
            4
            ·
            edit-2
            11 months ago

            I guess we just have different ideas of responsibility. It was 23andMe’s responsibility to offer MFA, and they did. It was the user’s responsibility to choose secure passwords and enable MFA and they didn’t. I would even play devil’s advocate and say that sharing your info with strangers was also the user’s responsibility but that 23andMe could have forced MFA on accounts who shared data with other accounts.

            Many people hate MFA systems. It’s up to each user to determine how securely they want to protect their data. The users in question clearly didn’t if they reused passwords and didn’t enable MFA when prompted.

            • sudneo@lemmy.world
              link
              fedilink
              English
              arrow-up
              12
              ·
              11 months ago

              My idea is definitely biased by the fact that I am a security engineer by trade. I believe a company is ultimately responsible for the security of their users, even if the threat is the users’ own behavior. The company is the one able to afford a security department who is competent about the attacks their users are exposed to and able to mitigate them (to a certain extent), and that’s why you enforce things.

              Very often companies use “ease” or “users don’t like” to justify the absence of security measures such as enforced 2fa. However, this is their choice, who prioritize not pissing off (potentially) a small % of users for the price of more security for all users (especially the less proficient ones). It is a business choice that they need to be accountable for. I also want to stress that despite being mostly useless, different compliance standards also require measures that protect users who use simple or repeated passwords. That’s why complexity requirements are sometimes demanded, or also the trivial bruteforce protection with lockout period (for example, most gambling licenses require both of these, and companies who don’t enforce them cannot operate in a certain market). Preventing credentials stuffing is no different and if we look at OWASP recommendation, it’s clear that enforcing MFA is the way to go, even if maybe in a way that it does not trigger all the time, which would have worked in this case.

              It’s up to each user to determine how securely they want to protect their data.

              Hard disagree. The company, i.e. the data processor, is the only one who has the full understanding of the data (sensitivity, amount, etc.) and a security department. That’s the entity who needs to understand what threat actors exist for the users and implement controls appropriately. Would you trust a bank that allowed you to login and make bank transfers using just a login/password with no requirements whatsoever on the password and no brute force prevention?

              • Zoolander@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                11 months ago

                This wasn’t a brute force attack, though. Even if they had brute force detection, which I’m not sure if they don’t or not, that would have done nothing to help this situation as nothing was brute forced in the way that would have been detected. The attempts were spread out over months using bots that were local to the last good login location. That’s the primary issue here. The logins looked legitimate. It wasn’t until after the exposure that they knew it wasn’t and that was because of other signals that 23andMe obviously had in place (I’m guessing usage patterns or automation detection).

                • sudneo@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  11 months ago

                  Of course this is not a brute force attack, credentials stuffing is different from bruteforcing and I am well aware of it. What I am saying is that the “lockout period” or the rate limiting (useful against brute force attacks) for logins are both security measures that are sometimes demanded from companies. However, even in the case of bruteforcing, it’s the user who picks a “brute-forceable” password. A 100 character password with numbers, letters, symbols and capital letters is essentially not possible to be bruteforced. The industry recognized however that it’s the responsibility of organizations to implement protections from bruteforcing, even though users can already “protect themselves”. So, why would it be different in the case of credentials stuffing? Of course, users can “protect themselves” by using unique passwords, but I still think that it’s the responsibility of the company to implement appropriate controls against this attack, in the same exact way that it’s their responsibility to implement a rate-limiting on logins or a lockout after N failed attempts. In case of stuffing attacks, MFA is the main control that should simply be enforced or at the very least required (e.g., via email - which is weak but better than nothing) when any new pattern in a login emerges (new device, for example). 23andMe failed to implement this, and blaming users is the same as blaming users for having their passwords bruteforced, when no rate-limiting, lockout period, complexity requirements etc. are implemented.

                  • Zoolander@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    ·
                    edit-2
                    11 months ago

                    So forced MFA is the only way to prevent what happened? That’s basically what you’re saying, right?

                    Their other mechanisms would prevent credential stuffing (e.g., rate limits, comparing login locations) so how was this still successful?

    • Xer0@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      3
      ·
      11 months ago

      I agree. The people blaming the website are ridiculous here.

      • Zoolander@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 months ago

        It’s just odd that people get such big hate boners from ignorance. Everything I’m reading about this is telling me that 23andMe should have enabled forced MFA before this happened rather than after, which I agree with, but that doesn’t mean this result is entirely their fault either. People need to take some personal responsibility sometimes with their own personal info.

      • dream_weasel@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        edit-2
        11 months ago

        Would bet your password includes “password” or something anyone could guess in 10 minutes after viewing your Facebook profile.

        Edit: Your l33t hacker name is your mother’s maiden name and the last four of your social, bro. Mines hunter1337, what’s yours?