this post was submitted on 03 Jan 2024
824 points (94.1% liked)

Technology

59569 readers
4136 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments
[–] capital@lemmy.world 77 points 10 months ago (5 children)

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

[–] Thann@lemmy.ml 39 points 10 months ago (2 children)
  1. IP based rate limiting
  2. IP locked login tokens
  3. Email 2FA on login with new IP
[–] Umbraveil@lemmy.world 21 points 10 months ago* (last edited 10 months ago)

IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.

These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.

[–] CommanderCloon@lemmy.ml 13 points 10 months ago (2 children)
  1. The attackers used IPs situated in their victims regions to log in, across months, bypassing rate limiting or region locks / warnings

  2. I don't know if they did but it would seem trivial to just use the tokens in-situ once they managed to login instead of saving and reusing said tokens. Also those tokens are the end user client tokens, IP locking them would make people with dynamic IPs or logged in 5G throw a fuss after the 5th login in half an hour of subway

  3. Yeah 2FA should be a default everywhere but people just throw a fuss at the slightest inconvenience. We very much need 2FA to become the norm so it's not seen as such

[–] unphazed@lemmy.world 3 points 10 months ago

2 factor beats the hell outta that "match the horse with the direction of the the arrow 10x" bs

[–] Fiivemacs@lemmy.ca 3 points 10 months ago (1 children)

I'm cool with 2fa, I'm not cool with a company demanding my cellphone number to send me SMS for 2fa or to be forced to get a 2fa code via email...like my bank. I can ONLY link 2fa to my phone. So when my phone goes missing or stolen, I can't access my bank. Only time I have resisted 2fa is when this pooly implemented bullshit happens.

[–] JackbyDev@programming.dev 2 points 10 months ago

Pro tip, when making a new Google account and putting your phone number in be sure to look into more options. There is a choice to only use it for 2fa and not for data linking.

[–] Hegar@kbin.social 37 points 10 months ago* (last edited 10 months ago) (2 children)

What should a website do when you present it with correct credentials?

Not then give you access to half their customers' personal info?

Credential stuffing 1 grandpa who doesn't understand data security shouldn't give me access to names and genetics of 500 other people.

That's a shocking lack of security for some of the most sensitive personal data that exists.

[–] capital@lemmy.world 10 points 10 months ago

You either didn’t read or just really need this to be the company’s fault.

Those initial breaches lead to more info being leaked because users chose to share data with those breached users before their accounts were compromised.

When you change a setting on a website do you want to have to keep setting it back to what you want or do you want it to stay the first time you set it?

[–] jimbo@lemmy.world 4 points 10 months ago (2 children)

Not then give you access to half their customers’ personal info?

That's a feature of the service that you opt into when you're setting up your account. You're not required to share anything with anyone, but a lot of people choose too. I actually was able to connect with a half-sibling that I knew I had, but didn't know how to contact, via that system.

[–] Hegar@kbin.social 1 points 10 months ago (1 children)

Hi! If you've used it, there's something I was curious about - how many people's names did it show you?

If 50%+ of the 14000 had the feature enabled, it was showing an average of 500-1000 "relatives". Was that what you saw? What degree of relatedness did they have?

I don't think that opting in changes a company's responsibility to not launch a massive, inevitable data security risk, but tbh I'm less interested in discussing who's to blame than I am in hearing more about your experience using the feature. Thanks in advance!

[–] jimbo@lemmy.world 1 points 10 months ago* (last edited 10 months ago)

This list shows 1500 people for me. I assume that's just some arbitrary limit to the number of results. There's significantly overlap in the relationship lists, so the total number of people with data available is less than the (14000 x 0.5 x 1500) than the math might indicate.

My list of possible relations goes from 25% to 0.28% shared DNA. That's half-sibling down to 4th cousin (shared 3rd-great-grandparents).

The only thing I can see for people who I haven't "connected" with is our shared ancestry and general location (city or state) if they share it. I can see "health reports" if the person has specifically opted to share it with me after "connecting".

[–] ADTJ@feddit.uk 35 points 10 months ago (1 children)

What should it do? It should ask you to confirm the login with a configured 2FA

[–] capital@lemmy.world 22 points 10 months ago (3 children)

Yeah they offered that. I don’t think anyone with it turned on was compromised.

[–] rainerloeten@lemmy.world 22 points 10 months ago* (last edited 10 months ago) (2 children)

This shouldn't be "offered" IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I've studied in this field, trust me, I know). But the answer isn't to put the responsibility on the user! It is to design products and services which are secure by design.

If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.

[Edit: spelling]

[–] Eezyville@sh.itjust.works 28 points 10 months ago (3 children)

I've noticed that many users in this thread are just angry that the average person doesn't take cybersecurity seriously. Blaming the user for using a weak password. I really don't understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don't really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.

[–] miss_brainfart@lemmy.ml 2 points 10 months ago (1 children)

You're right, most people either don't care, or don't even know enough to care in the first place.

And that's a huge problem. Yes, companies have some responsibility here, but ultimately it's the user who decides to use the service, and how to use it.

[–] TheActualDevil@lemmy.world 4 points 10 months ago (1 children)

don’t even know enough to care in the first place.

but ultimately it’s the user who decides to use the service, and how to use it.

So you admit they don't have access to the knowledge needed to make better choices for their digital security. Then immediately blame them. I think your bias from the point of view of a one that is already more informed on this sort of thing. If they don't know they need to know more, how can they be expected to do any research? There's only so much time in a day so you can't expect people to learn "enough" about literally everything.

[–] miss_brainfart@lemmy.ml 3 points 10 months ago

I don't intend to blame them, I'm just making an observation.

The fact that they don't know is a problem in itself too, and spreading awareness about cybersecurity and teaching general tech literacy and common sense is not done as much as it should be.

It's exactly like you say. They don't know, and how would they? No one is ever giving them the information they need.

[–] BetaSalmon@lemmy.world 2 points 10 months ago (3 children)

How should the company be protecting user data, when - like you said -, the average person doesn't take cybersecurity seriously, are not techies, don't use a computer outside the office, and just want to log into their account with a password they remember?

Are you basically just saying the company should've enforced 2FA? Or maybe one of those "confirm you're logging in" emails, every time they want to log in?

[–] Adalast@lemmy.world 4 points 10 months ago (1 children)

From what I'm seeing, the hackers used the weak password accounts to access a larger vulnerability once they were behind the curtain. The company I work for deals with sensitive proprietary data daily and we are keenly aware that individuals should never have an opportunity to access the information if any other user. Things like single-user quarantining of data blocks are a minimum for security. Users log in and live on their own private island floating in a void. On top of that use behavior tracking to detect access patterns that attempt to exit the void and revoke credentials. That is also not even remotely mentioning that you have a single point of access entering thousands of accounts. That on it's own should be throwing enough red flags to pull down the webserver for a few minutes to hours. There is a lot they could have done.

[–] JohnEdwa@sopuli.xyz 4 points 10 months ago* (last edited 10 months ago)

It wasn't exploiting a vulnerability, they gained access to other peoples data because the site has a deliberate feature to share your data with your relatives if both have allowed that. That's why the term used is "scraped", they copied what the site showed.
When someone logs in to a Facebook account, it's not a vulnerability that they can now see all of the info their friends have set to "friends only", essentially.

Also they used a botnet so the login attempts weren't suspicious enough to do anything about - they weren't brute forcing a single user multiple times, but each trying once with the correct password.

[–] psud@lemmy.world 2 points 10 months ago

Yes, one of those "confirm it's you" emails. They're less intrusive than regular 2FA, and are only needed when a user logs in from a machine without the right cookie

[–] rainerloeten@lemmy.world 1 points 10 months ago

Hello, as I said, it's about "security by design", which means to design a system that 'doesn't allow for insecure things' in the first place. Like a microwave oven doesn't operate when the door is open. IT-/cyber-security is a complex field, but 2FA is a good place to start, regarding user facing services. There are lots more things than that of course.

[–] rainerloeten@lemmy.world 1 points 10 months ago (1 children)

That's exactly right. I was about to say how people usually don't even "not take it seriously" but rather don't even think or know about it. But you already said that yourself haha :D

[–] CoggyMcFee@lemmy.world 3 points 10 months ago* (last edited 10 months ago) (1 children)

Or, worse, they don’t even understand it. I definitely have people in my life who know about the idea of cybersecurity and are terrified of getting hacked, but constantly do things the wrong way or worry about the wrong things. Because it’s just too confusing for them, and it’s always changing.

[–] rainerloeten@lemmy.world 1 points 10 months ago* (last edited 10 months ago)

Just use a VPN bro and you're fine /s

[–] capital@lemmy.world -1 points 10 months ago* (last edited 10 months ago) (1 children)

Fuck mandatory 2FA. Most sites just throw SMS on there and leave it at that. I’m so tired of putting yet more of my information into services that don’t require it to utilize the service.

If TOTP was more prevalent (getting there) I might agree but then we’d be talking about how the typical user doesn’t know how to set that up.

[–] sudneo@lemmy.world 2 points 10 months ago (1 children)

Companies pay SMS, TOTP is free for them (just a computation...). It is utterly dumb to implement the same logic with a paid service rather than TOTP (or security keys, at this point). So yeah, I agree with the idea, but I think nowadays most 2fa is TOTPs (sadly, some require their shitty apps to do just that - Blizzard once was one of them, maybe still is).

[–] capital@lemmy.world 1 points 10 months ago

It’s a thinly veiled method to gather more info from users when SMS is the only option.

[–] kattenluik@feddit.nl 3 points 10 months ago

2FA should be forced, it's not a hard thing to do.

[–] postmateDumbass@lemmy.world 1 points 10 months ago

To badbiometric data couldnt be used....

[–] KairuByte@lemmy.dbzer0.com 29 points 10 months ago (2 children)

So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?

Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.

[–] capital@lemmy.world 14 points 10 months ago (1 children)

Please excuse the rehash from another of my comments:

How do you people want options on websites to work?

These people opted into information sharing.

When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

[–] KairuByte@lemmy.dbzer0.com 0 points 10 months ago (1 children)

I admit, I’ve not used the site so I don’t know the answers to the questions I would need, in order to properly respond:

  • Were these opt-in or opt-out?
  • Were the risks made clear?
  • Were the options fine tuned enough that you could share some info, but not all?

From the sounds of it, I doubt enough was done by the company to ensure people were aware of the risks. Because so many people were shocked by what was able to be skimmed.

[–] capital@lemmy.world 0 points 10 months ago

I’m convinced that everyone pissed at the company for users reusing passwords has a reading comprehension problem because I definitely already answered your first question in the comment you responded to.

I haven’t used the service either - I don’t want more of my data out there. So I can’t answer the other questions.

Users were probably not thinking about the implications of a breach after sharing but it stands to reason that if you share data with an account, and that account gets compromised, your data is compromised.

We’ve all been through several of those from actual hacks at other companies (looking at you, T-Mobile). I refuse to believe people aren’t aware of this general issue by now.

[–] platypus_plumba@lemmy.world 9 points 10 months ago* (last edited 10 months ago)

It was credential stuffing. Basically these people were hacked in other services. Those services probably told them "Hey, you need to change your password because our database was hacked" and then they were like "meh, I'll keep using this password and won't update my other services that this password and personally identifiable information about myself and my relatives".

Both are at fault, but the users reusing passwords with no MFA are dumb as fuck.

[–] jimbo@lemmy.world 4 points 10 months ago (1 children)

by brute-forcing accounts with passwords that were known

That's not what "brute force" means.

[–] capital@lemmy.world 3 points 10 months ago