Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • MimicJar@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    6
    ·
    11 months ago

    I agree, by all accounts 23andMe didn’t do anything wrong, however could they have done more?

    For example the 14,000 compromised accounts.

    • Did they all login from the same location?
    • Did they all login around the same time?
    • Did they exhibit strange login behavior like always logged in from California, suddenly logged in from Europe?
    • Did these accounts, after logging in, perform actions that seemed automated?
    • Did these accounts access more data than the average user?

    In hindsight some of these questions might be easier to answer. It’s possible a company with even better security could have detected and shutdown these compromised accounts before they collected the data of millions of accounts. It’s also possible they did everything right.

    A full investigation makes sense.

    • Zoolander@lemmy.world
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      2
      ·
      11 months ago

      I already said they could have done more. They could have forced MFA.

      All the other bullet points were already addressed: they used a botnet that, combined with the “last login location” allowed them to use endpoints from the same country (and possibly even city) that matched that location over the course of several months. So, to put it simply - no, no, no, maybe but no way to tell, maybe but no way to tell.

      A full investigation makes sense but the OP is about 23andMe’s statement that the crux is users reusing passwords and not enabling MFA and they’re right about that. They could have done more but, even then, there’s no guarantee that someone with the right username/password combo could be detected.