Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • capital
    link
    fedilink
    English
    7811 months ago

    The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

    Turns out, it is.

    What should a website do when you present it with correct credentials?

      • @[email protected]
        link
        fedilink
        English
        21
        edit-2
        11 months ago

        IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.

        These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.

      • @[email protected]
        link
        fedilink
        English
        1311 months ago
        1. The attackers used IPs situated in their victims regions to log in, across months, bypassing rate limiting or region locks / warnings

        2. I don’t know if they did but it would seem trivial to just use the tokens in-situ once they managed to login instead of saving and reusing said tokens. Also those tokens are the end user client tokens, IP locking them would make people with dynamic IPs or logged in 5G throw a fuss after the 5th login in half an hour of subway

        3. Yeah 2FA should be a default everywhere but people just throw a fuss at the slightest inconvenience. We very much need 2FA to become the norm so it’s not seen as such

        • FiveMacs
          link
          fedilink
          English
          411 months ago

          I’m cool with 2fa, I’m not cool with a company demanding my cellphone number to send me SMS for 2fa or to be forced to get a 2fa code via email…like my bank. I can ONLY link 2fa to my phone. So when my phone goes missing or stolen, I can’t access my bank. Only time I have resisted 2fa is when this pooly implemented bullshit happens.

          • JackbyDev
            link
            fedilink
            English
            211 months ago

            Pro tip, when making a new Google account and putting your phone number in be sure to look into more options. There is a choice to only use it for 2fa and not for data linking.

        • @[email protected]
          link
          fedilink
          English
          311 months ago

          2 factor beats the hell outta that “match the horse with the direction of the the arrow 10x” bs

    • Hegar
      link
      fedilink
      37
      edit-2
      11 months ago

      What should a website do when you present it with correct credentials?

      Not then give you access to half their customers’ personal info?

      Credential stuffing 1 grandpa who doesn’t understand data security shouldn’t give me access to names and genetics of 500 other people.

      That’s a shocking lack of security for some of the most sensitive personal data that exists.

      • capital
        link
        fedilink
        English
        1011 months ago

        You either didn’t read or just really need this to be the company’s fault.

        Those initial breaches lead to more info being leaked because users chose to share data with those breached users before their accounts were compromised.

        When you change a setting on a website do you want to have to keep setting it back to what you want or do you want it to stay the first time you set it?

      • @[email protected]
        link
        fedilink
        English
        411 months ago

        Not then give you access to half their customers’ personal info?

        That’s a feature of the service that you opt into when you’re setting up your account. You’re not required to share anything with anyone, but a lot of people choose too. I actually was able to connect with a half-sibling that I knew I had, but didn’t know how to contact, via that system.

          • @[email protected]
            link
            fedilink
            English
            1
            edit-2
            11 months ago

            But why do you need access to any of your half sibling’s personal data to do that?

            Nobody “needs” it, lol. People do it because it’s interesting to them. That’s why it’s opt-in.

            Why do you need access to everyone who opted in’s data to do that?

            Why does Facebook need to show you other people’s profiles and posts? Why does Lemmy show me your profile and posts? It’s how those services work, and people choose to use those services because they work that way.

        • Hegar
          link
          fedilink
          111 months ago

          Hi! If you’ve used it, there’s something I was curious about - how many people’s names did it show you?

          If 50%+ of the 14000 had the feature enabled, it was showing an average of 500-1000 “relatives”. Was that what you saw? What degree of relatedness did they have?

          I don’t think that opting in changes a company’s responsibility to not launch a massive, inevitable data security risk, but tbh I’m less interested in discussing who’s to blame than I am in hearing more about your experience using the feature. Thanks in advance!

          • @[email protected]
            link
            fedilink
            English
            1
            edit-2
            11 months ago

            This list shows 1500 people for me. I assume that’s just some arbitrary limit to the number of results. There’s significantly overlap in the relationship lists, so the total number of people with data available is less than the (14000 x 0.5 x 1500) than the math might indicate.

            My list of possible relations goes from 25% to 0.28% shared DNA. That’s half-sibling down to 4th cousin (shared 3rd-great-grandparents).

            The only thing I can see for people who I haven’t “connected” with is our shared ancestry and general location (city or state) if they share it. I can see “health reports” if the person has specifically opted to share it with me after “connecting”.

    • @[email protected]
      link
      fedilink
      English
      2811 months ago

      So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?

      Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.

      • capital
        link
        fedilink
        English
        1411 months ago

        Please excuse the rehash from another of my comments:

        How do you people want options on websites to work?

        These people opted into information sharing.

        When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

        • @[email protected]
          link
          fedilink
          English
          011 months ago

          I admit, I’ve not used the site so I don’t know the answers to the questions I would need, in order to properly respond:

          • Were these opt-in or opt-out?
          • Were the risks made clear?
          • Were the options fine tuned enough that you could share some info, but not all?

          From the sounds of it, I doubt enough was done by the company to ensure people were aware of the risks. Because so many people were shocked by what was able to be skimmed.

          • capital
            link
            fedilink
            English
            011 months ago

            I’m convinced that everyone pissed at the company for users reusing passwords has a reading comprehension problem because I definitely already answered your first question in the comment you responded to.

            I haven’t used the service either - I don’t want more of my data out there. So I can’t answer the other questions.

            Users were probably not thinking about the implications of a breach after sharing but it stands to reason that if you share data with an account, and that account gets compromised, your data is compromised.

            We’ve all been through several of those from actual hacks at other companies (looking at you, T-Mobile). I refuse to believe people aren’t aware of this general issue by now.

      • @[email protected]
        link
        fedilink
        English
        9
        edit-2
        11 months ago

        It was credential stuffing. Basically these people were hacked in other services. Those services probably told them “Hey, you need to change your password because our database was hacked” and then they were like “meh, I’ll keep using this password and won’t update my other services that this password and personally identifiable information about myself and my relatives”.

        Both are at fault, but the users reusing passwords with no MFA are dumb as fuck.

    • @[email protected]
      link
      fedilink
      English
      411 months ago

      by brute-forcing accounts with passwords that were known

      That’s not what “brute force” means.