Technology

57472 readers

3671 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

844

23andMe tells victims it's their fault that their data was breached | TechCrunch (techcrunch.com)

submitted 7 months ago by Eezyville to c/[email protected]

278 comments fedilink hide all child comments

Hope this isn't a repeated submission. Funny how they're trying to deflect blame after they tried to change the EULA post breach.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 78 points 7 months ago (40 children)

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

Turns out, it is.

What should a website do when you present it with correct credentials?

[–] [email protected] 40 points 7 months ago (5 children)

IP based rate limiting
IP locked login tokens
Email 2FA on login with new IP

[–] [email protected] 21 points 7 months ago* (last edited 7 months ago)

IP-based mitigation strategies are pretty useless for ATO and credential stuffing attacks.

These days, bot nets for hire are easy to come by and you can rotate your IP on every request limiting you controls to simply block known bad IPs and data server IPs.

load more comments (4 replies)

load more comments (38 replies)