this post was submitted on 09 Dec 2023
299 points (89.0% liked)

Technology

59197 readers
3234 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

DNA companies should receive the death penalty for getting hacked | TechCrunch::Personal data is the new gold. The recent 23andMe data breach is a stark reminder of a chilling reality -- our most intimate, personal information might

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 69 points 11 months ago* (last edited 11 months ago) (29 children)

Maybe you shouldn't use the same user+pass across dozens of different services then.

The data from 23 and Me was stolen using the legitimate login credentials of users acquired from an entirely different services data breach. Not via their own lax security policies.

You can't expect a corporation to protect you from yourself. And they certainly shouldn't be punished for your ineptitude.

Don't get me wrong, these corporations are not your friends, and shouldn't be trusted implicitly; but you have some responsibilities too.

/edit:

But when the chips are down and our data is leaked, they hide behind the old “we were not hacked; it was the users’ old passwords” excuse.

This logic is equivalent to a bank saying, “It’s not our fault your money got stolen; you should have had a better lock on your front door.” It’s unacceptable and a gross abdication of responsibility.

I completely disagree with this point. The service obviously has to provide you with access to your information/account. If you give out your login credentials for that access to a third party (another service), that third party loses your information, and it's then used to access stuff posing as you. That's your fault. You should not have shared (re-used) those same login credentials with others.

[–] [email protected] 22 points 11 months ago (25 children)

Well they should have 2fa, but yes, if that's the case I agree with you.

Use Bitwarden or KeePass

[–] [email protected] 12 points 11 months ago* (last edited 11 months ago) (24 children)

Unfortunately, even that's not enough. That's often a user choice to enable, and otp itself is a flawed system. (be that email, sms, or timed)

Really, services should be transitioning to Passkeys, however adoption of a new standard always takes time. There are not a huge number of services that have implemented them yet. Here's a list

[–] [email protected] 4 points 11 months ago

The first link is basically an "advertisment hidden in a normal, professional-looking article". All they're saying is how these ways are not secure, but most importanly, how their solution is more secure, published under their own site.

When you take this into account, their claims start to break down: while yes, email and SMS MFA might be inherently less secure since the code could be transmitted via an insecure channel, saying TOTP is not not secure because "you device can be hacked" is a kinda bad take: if your device is already hacked, you'd have a much bigger problem: even if you are using security keys, the hacker would already have access to whatever service you might be trying to protect. As for the lost/stolen case mentioned in the article, if you put TOTP code in a password manager (as most would probably do if they're doing this), that shouldn't be a problem. The only way this would be a problem is that the TOTP secret is stored in plain text, which would be the same for any authentication methods.

load more comments (23 replies)
load more comments (23 replies)
load more comments (26 replies)