Latest catastrophic data breach involves a company storing some of the most sensitive possible information about individuals. There will be no consequences apart from damaging those people's lives, of course -- because there is no accountability for any of this.
This is a government failure in the end -- and there's little sign that our leaders care at all.
@dangillmor Would need to make companies liable.
@jgordon @dangillmor seems like credentials were stolen in other breaches and people didn't use 2fa? The one problem is also exposing people who signed up for that discovery feature...
@jgordon @dangillmor And make their executives liable as well.
@dangillmor I agree that companies should be responsible, but in this case 23andme wasn't breached. Their privacy policy could have been a problem, perhaps that's what you are saying?
The article says the users' credentials were stolen in data breaches of other sites then used to access 23andme accounts because the users reused credentials and didn't use the 2FA feature provided by 23andme. There's no way a company can prevent this other than to require 2FA.
@dangillmor I don't think this specific case is a failure of 23andMe or the US government.
In a credential stuffing attack, the villain simply tried signing into 23andMe using the victim’s email and password combination from another service’s security breach.
The responsibility is shared by the first website that was breached and the victim for reusing a password.
The US government already recommends using multi-factor authentication, which 23andMe offers, and not reusing passwords.
@dangillmor people should consider all sites that don’t use 2factor authentication as compromised.