this post was submitted on 03 Jan 2024
825 points (94.4% liked)

Technology

69391 readers
2674 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
825
23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)
submitted 1 year ago by Eezyville@sh.itjust.works to c/technology@lemmy.world
272 comments fedilink hide all child comments
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] dpkonofa@lemmy.world 214 points 1 year ago (52 children)

I'm seeing so much FUD and misinformation being spread about this that I wonder what's the motivation behind the stories reporting this. These are as close to the facts as I can state from what I've read about the situation:

  1. 23andMe was not hacked or breached.
  2. Another site (as of yet undisclosed) was breached and a database of usernames, passwords/hashes, last known login location, personal info, and recent IP addresses was accessed and downloaded by an attacker.
  3. The attacker took the database dump to the dark web and attempted to sell the leaked info.
  4. Another attacker purchased the data and began testing the logins on 23andMe using a botnet that used the username/passwords retrieved and used the last known location to use nodes that were close to those locations.
  5. All compromised accounts did not have MFA enabled.
  6. Data that was available to compromised accounts such as data sharing that was opted-into was available to the people that compromised them as well.
  7. No data that wasn't opted into was shared.
  8. 23andMe now requires MFA on all accounts (started once they were notified of a potential issue).

I agree with 23andMe. I don't see how it's their fault that users reused their passwords from other sites and didn't turn on Multi-Factor Authentication. In my opinion, they should have forced MFA for people but not doing so doesn't suddenly make them culpable for users' poor security practices.

load more comments (50 replies)