https://www.nbcnews.com/news/us-news/23andme-user-data-targe...
One could easily see, e.g. a citizen of a middle eastern country who had some surprising Ashkenazi background being targeted for death as a result of this.
Perhaps a better way to say this is that 'tech savvy' posters are the least likely to have a good handle on mainstream feelings, and I definitely feel safer among normal people than those who consider themselves arguers for technological progress without a supporting philosophy.
[edit] I had a dream last night that the front of my house was all glass, including the ceiling. And I was on the couch with my girlfriend reading books when a Hamas protest came down the street, waiving green flags. They took positions on the roof of the school across from me, and they were pumping the air with AK47s and shouting slogans, looking down into our glass house and waiting for us to respond. We looked at each other and tried to make ourselves small and we did not want to respond to their slogans. They became more and more agitated that we were refusing to agree with them. We knew that we were marked for death. Then the police showed up and they moved down the street, chanting the same things.
This is a small story. My father, stupidly, put his genes on this website without asking his children; thus I was a victim of this data breach (we're not surprisingly 90% Ukrainian/Belarusian/Ahskenazi Jewish and oddly 10% Irish). But what does it mean to dream people shouting a slogan that you'll either shout with them or die, into the glass living room of your house? It feels like a perfect metaphor for the time we're living in. I wish everyone in the world had that dream so they could understand what it feels like to be a true rebel who is alone against a mob.
You don't engineer a service like 23andme without doing some risk assessment and one of the risks they should have identified and mitigated is password re-use by Joe Average because Joe Average (and his mom) were exactly the demographic that they targeted. Anybody that was somewhat sensitive to the privacy risks wouldn't have used the service in the first place.
they even offer 2 factor https://customercare.23andme.com/hc/en-us/articles/360034119...
sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.
if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?
I think we all know the answer already.
Security practices and their ludicrously bad response aside, I cannot fathom why someone would send their literal DNA to a company and then take no steps to secure that information. Is technical literacy really this poor amongst the general population? Even my retiree dad who can't reliably turn on his TV on knows about MFA.
How would they do that?
I'm not defending 23andMe but I really don't see how a service can detect that the password I chose on their website is the same I chose on a different one. Not without: a) them knowing what my chosen password is; and b) them knowing my passwords on other websites.
Where I work the security team monitors PW leaks and run them against our userbase if we find matches we lock their accounts and force a reset, that password also goes into a file and becomes pema-banned from being chosen.
we also force multifactor, which isn't bullet proof (heck if you used the same TOTP in 2 sites your hex key could get stolen) but it does go a long way. 2 factor is super annoying though and lots of places only offer crap methods like SMS (I loath to give out my phone number). personally I'd rather use just a strong site-specific password than be forced to provide my phone number.
Lots more discussion earlier: https://news.ycombinator.com/item?id=38856412
