23andMe agrees to $30M settlement for breach lawsuit

unconfirmedsourcesDOTgov , 4 hours ago

What an absolute failure of the legal system to understand the issue at hand and appropriately assign liability.

Here’s an article with more context, but tl;dr the “hackers” used credential stuffing, meaning that they used username and password combos that were breached from other sites. The users were reusing weak password combinations and 23andme only had visibility into legitimate login attempts with accurate username and password combos.

Arguably 23andme should not have built out their internal data sharing service quite so broadly, but presumably many users are looking to find long lost relatives, so I understand the rationale for it.

Thus continues the long, sorrowful, swan song of the password.

jdeath , 3 hours ago

passwords were maybe the dumbest idea ever invented

unconfirmedsourcesDOTgov , 2 hours ago

What is your suggestion for a superior solution to the problems passwords solve?

mosiacmango , 2 hours ago (edited 2 hours ago)

Passkeys are becoming the industry standard. They are better in nearly every way, but would not have been possible before smartphones.

They are unique for each site, not breachable without also having a users device, not phishable, and can’t be weak by design.

Deceptichum , 2 hours ago (edited 2 hours ago)

And if you lose your device, get fucked forever!

Passkeys are passwords but worse.

mosiacmango , 1 hour ago

Nope. The private key can be backed up, stored in an online password vault, copied automatically to other devices, whatever.

There are good and simple answers to this issue.

unconfirmedsourcesDOTgov , 2 hours ago

Agree that passkeys are the direction we seem to be headed, much to my chagrin.

I agree with the technical advantages. Where passkeys make me uneasy is when considering their disadvantages, which I see primarily as:

• Lack of user support for disaster recovery - let’s say you have a single smartphone with your passkeys and it falls off a bridge. You’d like to replace it but you can’t access any of your accounts because your passkey is tied to your phone. Now you’re basically locked out of the internet until you’re able to set up a new phone and sufficiently validate your identity with your identity provider and get a new passkey.
• Consolidating access to one’s digital life to a small subset of identity providers. Most users will probably allow Apple/Google/etc to become the single gatekeeper to their digital identity. I know this isn’t a requirement of the technology, but I’ve interacted with users for long enough to see where this is headed. What’s the recourse for when someone uses social engineering to reset your passkey and an attacker is then able to fully assume your identity across a wide array of sites?
• What does liability look like if your identity provider is coerced into sharing your passkey? In the past this would only provide access to a single account, but with passkeys it could open the door to a collection of your personal info.

There’s no silver bullet for the authentication problem, and I don’t think the passkey is an exception. What the passkey does provide is relief from credential stuffing, and I’m certain that consumer-facing websites see that as a massive advantage so I expect that eventually passwords will be relegated to the tomes of history, though it will likely be quite a slow process.

jdeath , 24 minutes ago

private keys, etc

Telorand , 6 hours ago

Seems like a paltry amount, given what savvy social engineers could do with that data.

If you don’t use proper security practices, you should be on the hook for prison time at a minimum.

helenslunch , 5 hours ago

Who would you jail? How would you decide whos responsible? You can’t jail the entire company.

But with a sufficient size fine you can make everyone at the company regret that decision, directly or indirectly.

Telorand , 4 hours ago

Who would I jail? The C-officers. Your shit show, your responsibility. If you can’t trust your employees, figure out why or do the work yourself.

gsfraley , 4 hours ago

I’ve always been hugely in favor of it. It’s the one change that could maybe justify their gargantuan salaries – if your company causes harm and suffering, the leaders absolutely need to be put on the hook.

Damage , 1 hour ago

You punish everyone in proportion to their responsibility

helenslunch , 22 minutes ago

But they’re not suggesting they be punished at all…

helenslunch , 4 hours ago

So all the people who actually make the decisions walk away scot-free?

Telorand , 3 hours ago

I didn’t say that. However, if delegation is too risky, do the work yourself.

Armok_the_bunny , 6 hours ago

Didn’t even offer a refund it sounds like.

“Hey, I know we just fucked up and let a ton of personal information out into the wild. As compensation how would you like to keep using us?”