How people are so confident in sharing their DNA, something you cannot change, that you will carry on for your entire life, and that can uniquely identify you with just a small sample, to a private, profit-driven company still amazes me
And the worst part is, even if you’re careful about it, all that’s needed is a relative doing it and now the company can basically tell most of your family tree
And all for what, knowing the parents of the parents of your parents come from some neighboring country? No shit, Sherlock, people move around
What an absolute failure of the legal system to understand the issue at hand and appropriately assign liability.
Here’s an article with more context, but tl;dr the “hackers” used credential stuffing, meaning that they used username and password combos that were breached from other sites. The users were reusing weak password combinations and 23andme only had visibility into legitimate login attempts with accurate username and password combos.
Arguably 23andme should not have built out their internal data sharing service quite so broadly, but presumably many users are looking to find long lost relatives, so I understand the rationale for it.
Thus continues the long, sorrowful, swan song of the password.
What is your suggestion for a superior solution to the problems passwords solve?
Passkeys are becoming the industry standard. They are better in nearly every way, but would not have been possible before smartphones.
They are unique for each site, not breachable without also having a users device, not phishable, and can’t be weak by design.
Seems like a paltry amount, given what savvy social engineers could do with that data.
If you don’t use proper security practices, you should be on the hook for prison time at a minimum.
It should be $0 because this was a credential stuffing attack (Using breached passwords people reused), and affected people who knowingly shared their data with other people.
23&me didn’t leak data, they didn’t have any database breaches, their infrastructure wasn’t compromised due to negligence…etc The majority share of negligence is in the users here.
Yes, they should have MFA, but also no, most sites and services don’t force you to use MFA to begin with, and that’s not a regulatory requirement anyways.
This is, for the most part, the fault of the folks using terrible security practices such as refusing passwords and sharing their data with other users. And this is a shitty precedent to set where the technical reasons for this event are thrown out the window in favor of the politics of it.
Who would you jail? How would you decide whos responsible? You can’t jail the entire company.
But with a sufficient size fine you can make everyone at the company regret that decision, directly or indirectly.
Who would I jail? The C-officers. Your shit show, your responsibility. If you can’t trust your employees, figure out why or do the work yourself.
Didn’t even offer a refund it sounds like.
“Hey, I know we just fucked up and let a ton of personal information out into the wild. As compensation how would you like to keep using us?”