Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • capital@lemmy.world
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    9
    ·
    11 months ago

    The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers

    Turns out, it is.

    What should a website do when you present it with correct credentials?

    • ADTJ@feddit.uk
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      4
      ·
      11 months ago

      What should it do? It should ask you to confirm the login with a configured 2FA

      • capital@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        3
        ·
        11 months ago

        Yeah they offered that. I don’t think anyone with it turned on was compromised.

        • pflanzenregal@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          3
          ·
          11 months ago

          This shouldn’t be “offered” IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I’ve studied in this field, trust me, I know). But the answer isn’t to out the responsibility on the user! It is to design products and services which are secure by design.

          If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.

          • Eezyville@sh.itjust.worksOP
            link
            fedilink
            English
            arrow-up
            13
            ·
            11 months ago

            I’ve noticed that many users in this thread are just angry that the average person doesn’t take cybersecurity seriously. Blaming the user for using a weak password. I really don’t understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don’t really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.

              • Adalast@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                2
                ·
                11 months ago

                From what I’m seeing, the hackers used the weak password accounts to access a larger vulnerability once they were behind the curtain. The company I work for deals with sensitive proprietary data daily and we are keenly aware that individuals should never have an opportunity to access the information if any other user. Things like single-user quarantining of data blocks are a minimum for security. Users log in and live on their own private island floating in a void. On top of that use behavior tracking to detect access patterns that attempt to exit the void and revoke credentials. That is also not even remotely mentioning that you have a single point of access entering thousands of accounts. That on it’s own should be throwing enough red flags to pull down the webserver for a few minutes to hours. There is a lot they could have done.

                • JohnEdwa@sopuli.xyz
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  edit-2
                  11 months ago

                  It wasn’t exploiting a vulnerability, they gained access to other peoples data because the site has a deliberate feature to share your data with your relatives if both have allowed that. That’s why the term used is “scraped”, they copied what the site showed.
                  When someone logs in to a Facebook account, it’s not a vulnerability that they can now see all of the info their friends have set to “friends only”, essentially.

                  Also they used a botnet so the login attempts weren’t suspicious enough to do anything about - they weren’t brute forcing a single user multiple times, but each trying once with the correct password.

            • miss_brainfart@lemmy.ml
              link
              fedilink
              English
              arrow-up
              0
              arrow-down
              1
              ·
              11 months ago

              You’re right, most people either don’t care, or don’t even know enough to care in the first place.

              And that’s a huge problem. Yes, companies have some responsibility here, but ultimately it’s the user who decides to use the service, and how to use it.

    • KairuByte@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      10
      ·
      11 months ago

      So… we are ignoring the 6+ million users who had nothing to do with the 14 thousand users, because convenience?

      Not to mention, the use of “brute force” there insinuates that the site should have had password requirements in place.

      • capital@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        5
        ·
        11 months ago

        Please excuse the rehash from another of my comments:

        How do you people want options on websites to work?

        These people opted into information sharing.

        When I set a setting on a website, device, or service I damn sure want the setting to stick. What else would you want? Force users to set the setting every time they log in? Every day?

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          11 months ago

          I admit, I’ve not used the site so I don’t know the answers to the questions I would need, in order to properly respond:

          • Were these opt-in or opt-out?
          • Were the risks made clear?
          • Were the options fine tuned enough that you could share some info, but not all?

          From the sounds of it, I doubt enough was done by the company to ensure people were aware of the risks. Because so many people were shocked by what was able to be skimmed.

      • platypus_plumba@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        11 months ago

        It was credential stuffing. Basically these people were hacked in other services. Those services probably told them “Hey, you need to change your password because our database was hacked” and then they were like “meh, I’ll keep using this password and won’t update my other services that this password and personally identifiable information about myself and my relatives”.

        Both are at fault, but the users reusing passwords with no MFA are dumb as fuck.

    • Hegar@kbin.social
      link
      fedilink
      arrow-up
      17
      arrow-down
      5
      ·
      edit-2
      11 months ago

      What should a website do when you present it with correct credentials?

      Not then give you access to half their customers’ personal info?

      Credential stuffing 1 grandpa who doesn’t understand data security shouldn’t give me access to names and genetics of 500 other people.

      That’s a shocking lack of security for some of the most sensitive personal data that exists.

    • Thann@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      11 months ago
      1. IP based rate limiting
      2. IP locked login tokens
      3. Email 2FA on login with new IP
      • CommanderCloon@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 months ago
        1. The attackers used IPs situated in their victims regions to log in, across months, bypassing rate limiting or region locks / warnings

        2. I don’t know if they did but it would seem trivial to just use the tokens in-situ once they managed to login instead of saving and reusing said tokens. Also those tokens are the end user client tokens, IP locking them would make people with dynamic IPs or logged in 5G throw a fuss after the 5th login in half an hour of subway

        3. Yeah 2FA should be a default everywhere but people just throw a fuss at the slightest inconvenience. We very much need 2FA to become the norm so it’s not seen as such

        • FiveMacs@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          11 months ago

          I’m cool with 2fa, I’m not cool with a company demanding my cellphone number to send me SMS for 2fa or to be forced to get a 2fa code via email…like my bank. I can ONLY link 2fa to my phone. So when my phone goes missing or stolen, I can’t access my bank. Only time I have resisted 2fa is when this pooly implemented bullshit happens.