this post was submitted on 24 Jan 2024
129 points (97.8% liked)

Privacy

1222 readers
158 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
129
Genetic testing giant 23andMe is reportedly turning the blame back on its customers for its recent data breach (www.businessinsider.com)
submitted 9 months ago by sizeoftheuniverse@programming.dev to c/privacy@programming.dev
26 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] MrCookieRespect@reddthat.com 4 points 9 months ago (18 children)

Bro the data wasn't breached, someone just took already available passwords and tried them. It is their fault for using the same password everywhere.

And im not defending the company here, fuck em but thats definitely not on them.

[–] tiramichu@lemm.ee 32 points 9 months ago* (last edited 9 months ago) (15 children)

23 and Me are technically correct in that it's customer behaviour that caused the issue. People reused passwords and didn't use MFA.

They can claim the moral high ground if they like and shift the blame, but the truth is that regardless of WHY the breach happened, it was still a breach and it still happened!

As a software engineer, I believe there's a real argument to be made here that 23 and Me were negligent in their approach. Given the personal nature of data stored they should have enforced MFA from the start, but they did not. They made an explicit decision to choose customer convenience above customer security.

The argument that customers should have made better security decisions is evasive bullshit.

As a software engineer you cannot trust customers to take correct decisions about security. And customers should not be expected to either - they are not the experts! It's the job of IT professionals to ensure that data has an appropriate level of protection so that it is safeguarded even against naive user behaviour.

[–] Pastaguini@hexbear.net 8 points 9 months ago

My mom used 23 and me last year and created an account with 2FA. Their 2FA fucked up and never sent the code. She spent weeks on the phone with customer service but they just shuffled her around. I tried to talk to them but it was just “I’ll escalate this to my manager” and then they’d never call back. Then we tried to get a refund and they refused, so they basically stole 40 bucks from my mom. They probably never enforced 2FA because they knew it didn’t work and didn’t want to bog down their nonexistent customer service with complaints about their fucked up 2FA. I looked online and my mom wasn’t the only one with this issue. So in that sense, they are responsible IMO.

load more comments (14 replies)
load more comments (16 replies)