this post was submitted on 08 Oct 2023
297 points (97.1% liked)

Technology

59143 readers
2264 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

User data stolen from genetic testing giant 23andMe is now for sale on the dark web::User data from 23andMe accounts has been leaked and put up for sale on a dark web forum after what appeared to be a "credential stuffing" cyberattack.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 62 points 1 year ago (2 children)

Note: this was from password stuffing and is only profile data, not genetic.

Your genomics can only be downloaded from a link sent to your email account.

Don't reuse your passwords.

The only thing 23andme could have done to prevent this is 2fa.

[–] [email protected] 16 points 1 year ago (1 children)

The only thing 23andme could have done to prevent this is 2fa.

Not true. It's easy to detect hundreds of thousands of logins from VPN locations. Or parse that someone is logging in from thousands of miles away from their profile location and send an email. There's many simple things to implement that they could have done to protect your account with them. They took the easy route.

While the User does bare most of the blame, claiming that 23andme couldn't do anything else is strictly wrong.

[–] [email protected] 16 points 1 year ago (1 children)

Preventing these kinds of attacks is a nontrivial problem space and is the exact reason why scraping services are a lucrative business.

It is not trivial to prevent dark web actors from using botnets to make requests and it is comparatively inexpensive to access botnets as a service.

Sending emails for suspicious login is 2fa, by the way.

[–] [email protected] -3 points 1 year ago (1 children)

It is not trivial

And yet I just explained to you two ways to do it real easily that I've implemented into several platforms. It has been trivial.

Sending emails for suspicious login is 2fa, by the way.

Only if you actually block login until link is clicked in email. Just sending an email is not 2fa. You don't need to specifically block the user, a notification would be sufficient for many users to understand "Wait... I didn't login, I should change my password immediately."

[–] [email protected] 5 points 1 year ago (1 children)

If you think that IP blocking stops credential stuffing you really are out of your depth.

Would it stop this guy if he was some skid just running Kali? Absolutely.

But it ain't going to stop anyone more determined. Especially since you're going to let those blocks expire to avoid blocking legitimate customers. A patient opposition with minimal resources will get by that kind of naive approach.

Not only that but you have 0 evidence they didn't IP block. They absolutely could have standard protocols in place but anything short of 2fa is inherently vulnerable.

[–] [email protected] -4 points 1 year ago (1 children)

If you want to move goalposts... Then fine. But I won't engage in that bullshit.

It IS trivial to implement. It is literally a non-zero thing they could have implemented but chose not to. That's all I've claimed.

Go strawman someone else.

If you think that IP blocking stops credential stuffing you really are out of your depth.

You can slow it way the fuck down though if you do it right. But nah, I'm out of my depth supposedly. You sound like a fucking tool.

[–] [email protected] 3 points 1 year ago

I think what he was trying to say, implementing those strategies would deter 90% of rookies (using kali toolkit as a service), but not the 10% who got the right technical knowledge and enough motivation to clamp down on what they want.

[–] [email protected] 3 points 1 year ago (1 children)

Or, and hear me out, don’t reuse passwords.

[–] [email protected] 14 points 1 year ago (1 children)

That's what users could have done, not the site.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

It’s a cultural thing. My dad always taught me not to share secrets, including different passwords to different people and websites.

I don’t know if kids have internet lessons these days but it feels like that would be very useful; how to use social media, how to approach strange websites and how to recognize misinformation and look for sources online. Basically online-ed. Part of home economics I guess.