Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • capital
    link
    fedilink
    English
    2211 months ago

    Yeah they offered that. I don’t think anyone with it turned on was compromised.

    • pflanzenregal
      link
      fedilink
      English
      22
      edit-2
      11 months ago

      This shouldn’t be “offered” IMHO, this should be mandatory. Yes, people are very ignorant about cyber security (I’ve studied in this field, trust me, I know). But the answer isn’t to put the responsibility on the user! It is to design products and services which are secure by design.

      If someone is actually able to crack accounts via brute-forcing common passwords, you did not design a secure service/product.

      [Edit: spelling]

      • @Eezyville@sh.itjust.worksOP
        link
        fedilink
        English
        2811 months ago

        I’ve noticed that many users in this thread are just angry that the average person doesn’t take cybersecurity seriously. Blaming the user for using a weak password. I really don’t understand how out of touch these Lemmy users are. The average person is not thinking of cybersecurity. They just want to be able to log into their account and want a password to remember. Most people out there are not techies, don’t really use a computer outside of office work, and even more people only use a smartphone. Its on the company to protect user data because the company knows its value and will suffer from a breach.

          • @Adalast@lemmy.world
            link
            fedilink
            English
            411 months ago

            From what I’m seeing, the hackers used the weak password accounts to access a larger vulnerability once they were behind the curtain. The company I work for deals with sensitive proprietary data daily and we are keenly aware that individuals should never have an opportunity to access the information if any other user. Things like single-user quarantining of data blocks are a minimum for security. Users log in and live on their own private island floating in a void. On top of that use behavior tracking to detect access patterns that attempt to exit the void and revoke credentials. That is also not even remotely mentioning that you have a single point of access entering thousands of accounts. That on it’s own should be throwing enough red flags to pull down the webserver for a few minutes to hours. There is a lot they could have done.

            • JohnEdwa
              link
              fedilink
              English
              4
              edit-2
              11 months ago

              It wasn’t exploiting a vulnerability, they gained access to other peoples data because the site has a deliberate feature to share your data with your relatives if both have allowed that. That’s why the term used is “scraped”, they copied what the site showed.
              When someone logs in to a Facebook account, it’s not a vulnerability that they can now see all of the info their friends have set to “friends only”, essentially.

              Also they used a botnet so the login attempts weren’t suspicious enough to do anything about - they weren’t brute forcing a single user multiple times, but each trying once with the correct password.

          • @psud@lemmy.world
            link
            fedilink
            English
            211 months ago

            Yes, one of those “confirm it’s you” emails. They’re less intrusive than regular 2FA, and are only needed when a user logs in from a machine without the right cookie

          • pflanzenregal
            link
            fedilink
            English
            111 months ago

            Hello, as I said, it’s about “security by design”, which means to design a system that ‘doesn’t allow for insecure things’ in the first place. Like a microwave oven doesn’t operate when the door is open. IT-/cyber-security is a complex field, but 2FA is a good place to start, regarding user facing services. There are lots more things than that of course.

        • @miss_brainfart@lemmy.ml
          link
          fedilink
          English
          211 months ago

          You’re right, most people either don’t care, or don’t even know enough to care in the first place.

          And that’s a huge problem. Yes, companies have some responsibility here, but ultimately it’s the user who decides to use the service, and how to use it.

          • @TheActualDevil@lemmy.world
            link
            fedilink
            English
            411 months ago

            don’t even know enough to care in the first place.

            but ultimately it’s the user who decides to use the service, and how to use it.

            So you admit they don’t have access to the knowledge needed to make better choices for their digital security. Then immediately blame them. I think your bias from the point of view of a one that is already more informed on this sort of thing. If they don’t know they need to know more, how can they be expected to do any research? There’s only so much time in a day so you can’t expect people to learn “enough” about literally everything.

            • @miss_brainfart@lemmy.ml
              link
              fedilink
              English
              311 months ago

              I don’t intend to blame them, I’m just making an observation.

              The fact that they don’t know is a problem in itself too, and spreading awareness about cybersecurity and teaching general tech literacy and common sense is not done as much as it should be.

              It’s exactly like you say. They don’t know, and how would they? No one is ever giving them the information they need.

        • pflanzenregal
          link
          fedilink
          English
          111 months ago

          That’s exactly right. I was about to say how people usually don’t even “not take it seriously” but rather don’t even think or know about it. But you already said that yourself haha :D

          • @CoggyMcFee@lemmy.world
            link
            fedilink
            English
            3
            edit-2
            11 months ago

            Or, worse, they don’t even understand it. I definitely have people in my life who know about the idea of cybersecurity and are terrified of getting hacked, but constantly do things the wrong way or worry about the wrong things. Because it’s just too confusing for them, and it’s always changing.

      • capital
        link
        fedilink
        English
        -1
        edit-2
        11 months ago

        Fuck mandatory 2FA. Most sites just throw SMS on there and leave it at that. I’m so tired of putting yet more of my information into services that don’t require it to utilize the service.

        If TOTP was more prevalent (getting there) I might agree but then we’d be talking about how the typical user doesn’t know how to set that up.

        • @sudneo@lemmy.world
          link
          fedilink
          English
          211 months ago

          Companies pay SMS, TOTP is free for them (just a computation…). It is utterly dumb to implement the same logic with a paid service rather than TOTP (or security keys, at this point). So yeah, I agree with the idea, but I think nowadays most 2fa is TOTPs (sadly, some require their shitty apps to do just that - Blizzard once was one of them, maybe still is).

          • capital
            link
            fedilink
            English
            111 months ago

            It’s a thinly veiled method to gather more info from users when SMS is the only option.