User data from 23andMe accounts has been leaked and put up for sale on a dark web forum after what appeared to be a "credential stuffing" cyberattack.

User data stolen from genetic testing giant 23andMe is now for sale on the dark web::User data from 23andMe accounts has been leaked and put up for sale on a dark web forum after what appeared to be a “credential stuffing” cyberattack.

  • huginn@feddit.itEnglish
    633·
    1 year ago

    Note: this was from password stuffing and is only profile data, not genetic.

    Your genomics can only be downloaded from a link sent to your email account.

    Don’t reuse your passwords.

    The only thing 23andme could have done to prevent this is 2fa.

      • huginn@feddit.itEnglish
        171·
        1 year ago

        Preventing these kinds of attacks is a nontrivial problem space and is the exact reason why scraping services are a lucrative business.

        It is not trivial to prevent dark web actors from using botnets to make requests and it is comparatively inexpensive to access botnets as a service.

        Sending emails for suspicious login is 2fa, by the way.

          • huginn@feddit.itEnglish
            72·
            1 year ago

            If you think that IP blocking stops credential stuffing you really are out of your depth.

            Would it stop this guy if he was some skid just running Kali? Absolutely.

            But it ain’t going to stop anyone more determined. Especially since you’re going to let those blocks expire to avoid blocking legitimate customers. A patient opposition with minimal resources will get by that kind of naive approach.

            Not only that but you have 0 evidence they didn’t IP block. They absolutely could have standard protocols in place but anything short of 2fa is inherently vulnerable.

              • akrot@lemmy.worldEnglish
                41·
                1 year ago

                I think what he was trying to say, implementing those strategies would deter 90% of rookies (using kali toolkit as a service), but not the 10% who got the right technical knowledge and enough motivation to clamp down on what they want.

        • hansl@lemmy.worldEnglish
          21·
          1 year ago

          It’s a cultural thing. My dad always taught me not to share secrets, including different passwords to different people and websites.

          I don’t know if kids have internet lessons these days but it feels like that would be very useful; how to use social media, how to approach strange websites and how to recognize misinformation and look for sources online. Basically online-ed. Part of home economics I guess.