Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • Falcon@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    11 months ago

    users knowingly opted into a feature that had a clear privacy risk.

    Strong passwords often aren’t at issue, password re-use is. If un-{salted, hashed} passwords were compromised in a previous breach, then it doesn’t matter how strong those passwords are.

    Every user who was compromised:

    1. Put their DNA profile online
    2. Opted to share their information in some way

    A further subset of users failed to use a unique and strong password.

    A 2FA token (think Matrix) might have helped here, other than that, individuals need to take a greater responsibility for personal privacy. This isn’t an essential service like water, banking, electricity etc. This is a place to upload your DNA profile…

    • sudneo@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      11 months ago

      As I said elsewhere, the company implemented this feature and apparently did not do absolutely jack about the increased risk of account compromise deriving from it. If I would sit in a meeting discussing this feature I would immediately say that accounts which share data with others are way too sensitive and at least these should have 2fa enforced. If you don’t want it, you don’t share data. Probably the company does not have a good security culture and this was not done.

    • Hegar@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      11 months ago

      users knowingly opted into a feature that had a clear privacy risk.

      Your aunt who still insists she’s part Cherokee is not as capable of understanding data security risks as the IT department of the multi-million dollar that offered the ludicrously stupid feature in the first place.

      People use these sites once right? Who’s changing their password on a site they don’t log into anymore? Given that credential stuffing was inevitable and foreseeable, the feature is obviously a massive risk that shouldn’t have been launched.