• unconfirmedsourcesDOTgov@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    71
    ·
    2 months ago

    What an absolute failure of the legal system to understand the issue at hand and appropriately assign liability.

    Here’s an article with more context, but tl;dr the “hackers” used credential stuffing, meaning that they used username and password combos that were breached from other sites. The users were reusing weak password combinations and 23andme only had visibility into legitimate login attempts with accurate username and password combos.

    Arguably 23andme should not have built out their internal data sharing service quite so broadly, but presumably many users are looking to find long lost relatives, so I understand the rationale for it.

    Thus continues the long, sorrowful, swan song of the password.

        • mosiacmango@lemm.ee
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          2 months ago

          Passkeys are becoming the industry standard. They are better in nearly every way, but would not have been possible before smartphones.

          They are unique for each site, not breachable without also having a users device, not phishable, and can’t be weak by design.

          • unconfirmedsourcesDOTgov@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            31
            ·
            2 months ago

            Agree that passkeys are the direction we seem to be headed, much to my chagrin.

            I agree with the technical advantages. Where passkeys make me uneasy is when considering their disadvantages, which I see primarily as:

            • Lack of user support for disaster recovery - let’s say you have a single smartphone with your passkeys and it falls off a bridge. You’d like to replace it but you can’t access any of your accounts because your passkey is tied to your phone. Now you’re basically locked out of the internet until you’re able to set up a new phone and sufficiently validate your identity with your identity provider and get a new passkey.
            • Consolidating access to one’s digital life to a small subset of identity providers. Most users will probably allow Apple/Google/etc to become the single gatekeeper to their digital identity. I know this isn’t a requirement of the technology, but I’ve interacted with users for long enough to see where this is headed. What’s the recourse for when someone uses social engineering to reset your passkey and an attacker is then able to fully assume your identity across a wide array of sites?
            • What does liability look like if your identity provider is coerced into sharing your passkey? In the past this would only provide access to a single account, but with passkeys it could open the door to a collection of your personal info.

            There’s no silver bullet for the authentication problem, and I don’t think the passkey is an exception. What the passkey does provide is relief from credential stuffing, and I’m certain that consumer-facing websites see that as a massive advantage so I expect that eventually passwords will be relegated to the tomes of history, though it will likely be quite a slow process.

          • Deceptichum@quokk.au
            link
            fedilink
            English
            arrow-up
            15
            ·
            edit-2
            2 months ago

            And if you lose your device, get fucked forever!

            Passkeys are passwords but worse.

            • mosiacmango@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              ·
              2 months ago

              Nope. The private key can be backed up, stored in an online password vault, copied automatically to other devices, whatever.

              There are good and simple answers to this issue.

            • sunbeam60
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 months ago

              No.

              Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service. That effectively means that logging in to your ecosystem is your “one password”. Of course you can shield that login with a passkey that sits in another instantiation of your account (laptop, home PC).

              The nerds will use a platform-neutral password manager (last pass, 1Password) etc. That is likely to either be protected by a strong password AND a recovery key (to print on paper) OR a passkey stored in your platform ecosystem.

              Personally I’m in 1Password, using a very long passphrase and a recovery key (two print outs, kept in two different locations).

              If you ONLY use one device to enter your ecosystem you do have some risk if it is passkey secured. The end of the chain ought to be a highly secure password that you never reuse anywhere else (your “one” password). Best to go completely random and write it down on paper.

              But the risk of never being able to access your ecosystem are really quite low.

              • Saik0@lemmy.saik0.com
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service.

                You’ll own nothing and be happy!

                • sunbeam60
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  Yeah it’s not for me but that’s a different point to “will they be locked out of their passkey storage”.

            • mosiacmango@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              2 months ago

              We’ll its a private key, so just a few kb of data. You can likely put it on all sorts of devices. Most services that use it will require some of the above, so I doubt the usefulness, but the same goes for most passwords.

              Im curious how you access your passwords with the above criteria. Are you using a notepad with dozens/hundreds of unique passwords, some kind of dice based randomizer, or just a few passwords for many sites?

          • douglasg14b@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            2 months ago

            That’s literally just a long password that you can never recover your data from when you inevitably lose or forget it (remember we’re talking about the majority of users here who do not use password managers).

            • jdeath@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              2 months ago

              there’s literally zero technical reason that a user couldn’t reset a private key the same as a password. after all, you just pointed out they are almost the same.

              edit: if you’d like to see an example create SSH keys for your GitHub account and then reset them

              • douglasg14b@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                That’s… Literally just a long password.

                I assumed you were talking about a private key as in cryptographic private key, where your data is encrypted on the remote server and your private key is required for it to be decrypted and for you to use it.

                If you just talking about something to get into an SSH key then all that is is a longer password.

                • jdeath@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  not at all. are you expected to remember it? would it even be possible to memorize for most? not even close to the same thing, passwords have very low entropy which causes all their problems

      • Echo Dot@feddit.uk
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        I don’t think it’s going to get much more broadly used than it is now. I work in cyber security and there have been password hacks like this since practically the beginning of the internet. It’s called a rainbow table attack, It mostly relies on the victims being complete idiots.

        You don’t even need to have a particularly secure password to be safe from it, you just have to have a unique one from site to site. Even if in other respects it’s relatively weak it will still defeat a rainbow table attack.

        The point is this stuff has been going on for decades and people are still making basic fundamental errors, so I can’t see how that’s going to change in the future. Maybe we should require everyone to take some sort of basic proficiency test before they’re allowed online.

  • Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    23
    ·
    2 months ago

    Seems like a paltry amount, given what savvy social engineers could do with that data.

    If you don’t use proper security practices, you should be on the hook for prison time at a minimum.

    • douglasg14b@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      2 months ago

      It should be $0 because this was a credential stuffing attack (Using breached passwords people reused), and affected people who knowingly shared their data with other people.

      23&me didn’t leak data, they didn’t have any database breaches, their infrastructure wasn’t compromised due to negligence…etc The majority share of negligence is in the users here.

      Yes, they should have MFA, but also no, most sites and services don’t force you to use MFA to begin with, and that’s not a regulatory requirement anyways.

      This is, for the most part, the fault of the folks using terrible security practices such as refusing passwords and sharing their data with other users. And this is a shitty precedent to set where the technical reasons for this event are thrown out the window in favor of the politics of it.

      • Telorand@reddthat.com
        link
        fedilink
        English
        arrow-up
        8
        ·
        2 months ago

        Who would I jail? The C-officers. Your shit show, your responsibility. If you can’t trust your employees, figure out why or do the work yourself.

        • gsfraley@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          2 months ago

          I’ve always been hugely in favor of it. It’s the one change that could maybe justify their gargantuan salaries – if your company causes harm and suffering, the leaders absolutely need to be put on the hook.

  • Armok_the_bunny@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    2 months ago

    Didn’t even offer a refund it sounds like.

    “Hey, I know we just fucked up and let a ton of personal information out into the wild. As compensation how would you like to keep using us?”

  • isolatedscotch@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    2 months ago

    How people are so confident in sharing their DNA, something you cannot change, that you will carry on for your entire life, and that can uniquely identify you with just a small sample, to a private, profit-driven company still amazes me

    And the worst part is, even if you’re careful about it, all that’s needed is a relative doing it and now the company can basically tell most of your family tree

    And all for what, knowing the parents of the parents of your parents come from some neighboring country? No shit, Sherlock, people move around

    • Typotyper@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      My mom did it and paid for a free test for me too. Had them send it to my address. So even though I didn’t use the test I’m in their system, name and all.

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      I guess but if a shadowy company wanted my DNA they could get it easily enough even if I don’t hand it over to them so I’m not sure how much point there is in being protective of it. Anyway what are they going to do with it, that a medical company couldn’t do?

      The government already has my blood from back when they were doing medical testing, so it’s all a bit of a moot point anyway. Also an insurance companies took some blood and they did an MRI scan so they have my brain as well. Jokes on them if they choose to clone me, I’m bloody useless.