[Urgo]

Unless I'm reading this wrong all that happened was someone had an existing leaked database of emails/passwords and then tried them on 23andme, and if they worked they took the data they could get. Yes, 23andme has some pretty extensive and personal data, but this attack could be done on literally any website. The issue is people re-used passwords, and also did not have 2fa enabled.

So the database that is for sale is just a list of emails/passwords from other breaches that worked on 23andme, along with the data that 23andme had on those users. Not exactly a 23andme breach.

[somsak2]

Even if this is the case, 23andMe should have done better here. Why are you letting people log into an account from a brand-new IP with no additional verification? You have their email, you could have at least done 2FA with that. And as other commenters mentioned, CAPTCHA would have also made this slower / more expensive. At my employer, we use both, and so it is not the case that this "could be done on literally any website."

For such a mature business (that is publicly-traded, no less!) it is shameful to allow credential stuffing on the scale of millions of accounts.

[codetrotter]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Is that really feasible today? With widespread use of phones and laptops, most people probably have at least a handful of different IP addresses they regularly use (home WiFi, work WiFi, cellular connection) and then they randomly connect from new up addresses like those from libraries, coffee shops, commute, etc

I think most “normal” apps and websites today allow any random IP to log in without jumping through extra hoops.

Only companies with big budgets (Apple, Google, etc) make regular users jump through extra hoops.

Banks, B2B have users that need extra hoops as well.

But 23andMe. I would not expect them to take any extra steps.

[dash2]

23andme isn't just any small company. They process people's DNA! It's about as personal information as you can get. And the stolen data included information about people's genetic ancestry. They should have very high-class security practices.

[dubcanada]

General question, but let’s say they get your genetic ancestry information. What could you do with that?

[2devnull]

Researchers and scientists could do a lot with such data. A tyrannical government would find many uses in furtherance of their repressive tactics. Blackmailers can find high profile targets where genetic linkages have been obscured by births out of wedlock, incest, etc… Strange question. Data are valuable, it’s like most of our economy at this point.

[dubcanada]

But you already agree to let 23andme send your data to "research" partners. I can understand the blackmailer, but even that is a bit of a stretch. I just don't see what damage could be done, which is why I asked the question. If a tyrannical government wants DNA of its citizens, it could just force it. I doubt they would go buying it online with bitcoin.

[joenot443]

> A tyrannical government would find many uses in furtherance of their repressive tactics.

Strange answer. What do you actually mean by this? "furtherance of their repressive tactics" can mean just about anything - which government are you talking about, and which tactics?

[sfmike]

Please don't make this normal it's absolutely tiresome to get codes for every single task

[Aachen]

Or include a setting for users that used a unique password.

When, five to ten years ago, everyone started sending email conformations "is this really you??" when logging in with the correct username and password on the first try, I always contacted support if that can be turned off. I figured the only way they were going to know it's a pain is if people complain. I have yet to learn of the first site where this is actually a choice...

Come to think of it, why haven't I made a Thunderbird plugin yet that recognises these emails and either sends the code to the browser or autotypes it. The credentials are filled in automatically, why not also their stupid email? Does this exist already?

[andylynch]

I think most sites doing this use SMS codes, and they works really well on mobile. If they are sending an email it’s more likely to be a magic likely with no password at all.

[Aachen]

You don't use twitter, github, amazon, spotify, steam, discord, etc.? Maybe that you can turn on SMS instead of email, but sending people emails for every login is the default for those.

The only ones requiring an SMS for me are organisations with a bank license, which are obviously a minority of all the services out there.

(Fwiw, I avoid all of the above besides Spotify, but a lot of code happens to be on github, audio books are invariably ~3x cheaper on amazon compared to buying from the publisher directly, many game developers insist that you let steam take a cut and don't let you buy it from them directly... that's how come I know these things all insist on sending emails.)

[jimmydddd]

Every time I log into my Chase acccount, it thinks I'm logging in from a new computer. Every single time. Nope, I've had the same computer for 3 years.

[codetrotter]

Is your browser set to clear cookies when you close it?

[nojvek]

Many sites like Google including my banking sites send me an email when a new IP / location is used for login.

This alerts if there is a sudden login without my knowledge and one click to disable.

23&me could have definitely done that to alert logins.

It is 100% on 23&me even though used id/passwords were used.

Genetic data is by definition extremely personal.

[est31]

It's exposed as "new IP" to the end user but it hides a lot of logic about ISP IP address pools for specific regions, behaviour of other devices, etc. For someone like Google, that's easy to pull off, as a lot of people use it, and people use it daily. But it's harder to get this technology for someone like 23andMe where people log in less often, and its product has low penetration of internet users.

[riffraff]

Just do it all the time then? If it's infrequent it's also not much of an hassle.

GoG and Steam do "email 2fa" and while it's annoying they do it anyway as they are a "risky" target, IIUC.

[codetrotter]

> Many sites like Google including my banking sites send me an email when a new IP / location is used for login

All of whom I already mentioned in the comment you are responding to

[chii]

2FA would've prevented those logins. I think sites should very much start mandating 2FA imho.

[malux85]

Drop a cookie in their browser and 2FA them if the cookie is not present. It's much less likely the attacker will have the users credentials AND cookies, so this raises the bar for the attacker without annoying the user too much.

[ricksunny]

Yes and people travel too. Even outside national borders sometimes, a prospect which my experience of having to use vpns to log into my payments apps demonstrates is somehow shocking to product managers driving cybersec policies in these companies.

tl;dr: logging in from an ip address of a strange faraway country should not be its own security flag. /endrant

[thfuran]

>and then they randomly connect from new up addresses like those from libraries, coffee shops, commute, etc

And most of the regularly used networks probably aren't using a static IP anyways.

[faeriechangling]

I have to agree.

Why blame the users for a broken by design security model like password auth? Credential stuffing attacks are a known weakness. We cannot reasonably expect everybody to take precautions against them.

I've just become very irate at how people implement absolutely absurdly bad security and people just blame users when the inevitable happens. These attacks have happened for decades. It's not the fault of the users.

[tgsovlerkhgsel]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Because having to play a game of "Simon Says" every time I try to log into an account pisses off customers.

Humble Bundle, for example, lost several sales because you can't even buy a game for an e-mail address that has an account without logging into the account, which requires not just the password (stored in my password manager that I may not have with me everywhere I have my credit card), but also logging into my e-mail and clicking a link.

The EU has decided to force banks and payment providers to implement this nonsense because companies like e.g. PayPal decided to rather eat the cost of non-prevented fraud than putting an extra barrier in front of users and losing the users to competitors (by forcing everyone to do it, they prevented companies from competing on this aspect of UX).

[morsch]

This story about genetic data and other sensitive health data being leaked doesn't really make the case for letting the market solve this particular problem without onerous regulations.

I suppose massively increasing the liability would solve the problem by doing a little of both.

[averageRoyalty]

Private companies should not be holding such data regardless, so the point becomes moot.

[eviks]

Because many people change IPs all the time between devices and such, and it's a user hostile practice to ask for an email code on login

Instead they could've monitored the password leaks to see if those got exposed

[faeriechangling]

You can scrape email/sms for codes automatically and add them to the clipboard or autofill, and what does user hostile even mean? User hostile is losing all of a users data because you were more concerned with customers liking how easy your service is to use than you were about ensuring your service didn't hurt them.

You can do better than email/sms, especially sms, but they're transitionary technologies. I login to way more things than most people do way more often. I don't use password authentication alone unless it's literally my only option.

[eviks]

> You can scrape email/sms for codes automatically

IF they arrive right away, which isn't guaranteed for either method Also, do you seriously suggest every single user to set up some kind of x-platform scraping service (how would you scrape an SMS code to a computer's clipboard)???

"user hostile" means that you impose a cost on users without consent and in many cases without benefit

> I don't use password authentication alone unless it's literally my only option.

That's fine, but this isn't a conversation about you. I'm fine with a high-entropy auto-generated password for a huge bunch of services

[faeriechangling]

Reading passwords from SMS is already in Android and iOS, passwords from emails is in iOS (with mail). For that matter, there is no reason TOTP codes can’t be autofilled along with your username/password. The tooling around this stuff keeps getting better and more widespread because it’s getting more prevalent.

>How would you scrape an SMS code to a computer’s clipboard

https://support.apple.com/en-us/guide/safari/ibrwa4a6c6c6/ma...

There’s no technical reason this same idea can’t work with every OS.

>impose a cost on users without consent

We have 1.3 million people who had their personal information leaked by an anti-Semite. More people are impacted by the breach in privacy than just the people who reused their passwords. The level of security was not appropriate to the context. Forcing costs on users can be good when said users are handling sensitive PII.

[eviks]

> The tooling around this stuff keeps getting better > There’s no technical reason this same idea can’t work with every OS.

And until it gets to good and working on every OS you have no argument

> Forcing costs on users can be good when said users are handling sensitive PII.

No it can't, why do you think you can impose your personal oversensitive value judgements re. PII on every single user???

[mnd999]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

The opposite is the bigger WTF, why are the letting so many different people log in from the same IP at the same time. That’s a red flag on every fraud detection system I’ve seen. Not to mention there would be may failed logins for different accounts which is also a pretty strong warning.

[mxmlnkn]

Because some people don't get a static IP from their ISP and they don't want to go through e-mail verification every day. At this point, some sites require this workflow from me:

    1. Solve CAPTCHA for log-in form
    2. Log in with valid password
    3. Open E-Mail client, maybe even log-into your e-mail with the same workflow if not done yet
    4. Verify the IP via E-Mail 
    5. Surf to website log-in form again
    6. Solve CAPTCHA for log-in form again
    7. Log in again with a valid password
    8. Verify with 2FA code

Thanks, I hate it. It feels like step 1 to 7 could be skipped.

[jstanley]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Because they knew the password! That's what passwords are for. Please don't try to make life any more difficult for your users than it has to be.

[ShadowBanThis01]

Forcing people to use an E-mail address as a user ID is so amateur-hour that I don't even know where to begin dismantling it. You don't see banks or brokerages doing this.

Why is it so dumb? Because the vast, vast majority of people have no idea how any of this shit works. So, when a company demands that you sign up with your E-mail address and enter a password, a great many people are going to think they have to use their E-mail password too. This makes every one of these sites a gatekeeper to its users' E-mail accounts. If their security practices suck and they're hacked, or a disgruntled employee steals their records, or whatever... now a ton of their users' E-mail accounts are open for mining.

The failure to think this obvious scenario through is appalling. It's also appalling to see companies like Apple perpetrating this stupid behavior, especially AFTER the fact. Apple IDs originally did not have to be E-mail addresses. And later on, they did not have to be FUNCTIONING E-mail addresses. Now they've regressed all the way and they have to be both. And so Apple, per its usual M.O., has had to tack on various extra measures since then to try to shore up security.

In case you couldn't tell, I absolutely detest this policy.

[averageRoyalty]

> Because the vast, vast majority of people have no idea how any of this shit works.

Then don't let them use it. We don't let people drive who don't know how to safely operate a car. We don't let people make food in commercial kitchens without training. We let users run free with no knowledge, then build systems to stop them from hurting themselves, it's absurd.

[spacebanana7]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Loosening this requirement to new country / carrier would make life easier for users at small cost to security.

[aetch]

Because IP addresses change frequently. I’m much less likely to use websites that require me to wait for a code in my email each time I use them and I don’t think I’m in the minority. Email/SMS codes are a useless checkbox in the security audit that companies need to stop implementing.

[BenjiWiebe]

A friend of mine lost access to an email account of theirs, even though they remembered the username and password, since the IP address changed and the recovery methods weren't accessible any more (old phone number).

[bboygravity]

That website sounds like a lot of fun to use for people who travel (and often have a new IP).

[pama]

I don’t think you are reading this correctly. People could access (most importantly) the full raw DNA profile. And many of those breached were from people who opted in a “Relatives” feature even if their account was secure.

[lozenge]

23andme doesn't sequence DNA, it just checks some genomes.

https://customercare.23andme.com/hc/en-us/articles/227968028...

[beaugunderson]

23andMe uses a SNP array, or SNP chip, to look at SNPs (single-nucleotide polymorphisms, or more generally, single nucleotides that vary within a population). Basically what it gives you is a diff against a reference genome. So yes, while not a full genome sequence you can still get a VCF file out of it, impute sites that are not on the chip, use it for genealogy analysis, look at someone's disease carrier status, genetic disease likelihood, etc.

[dash2]

Yeah, I mean this is about 1 million SNPs, right? It's very very personal indeed. I could make good guesses at the chance of you going to university; your height; your risk of depression; what you look like....

[ellisv]

I don't see where in the article is suggests that the attackers were able to obtain the raw genotype data of anyone other than the compromised account.

[pama]

The pics of the offer and pricing suggests uniform DNA info rather than names or passwords for some and raw DNA profiles for others. Also this from the article:

“ The compromised accounts had opted into the platform's 'DNA Relatives' feature, which allows users to find genetic relatives and connect with them.

The threat actor accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches, which shows how opting into a feature can have unexpected privacy consequences.”

Edit: maybe you are right about the lack of genetic info, if this account is correct (unless the researcher didn’t pay full price, and only got the metadata): https://therecord.media/scraping-incident-genetic-testing-si...

[placesalt]

I guess one question is: should

> did not have 2fa enabled

be allowed to coexist with

> pretty extensive and personal data

[ApolloFortyNine]

It's the user's data, its not on 23andme to baby the user. If the user wants to trade ease of login with risk of getting hacked, that's not 23andme's fault.

[jonny_eh]

> that's not 23andme's fault

Yes it is. It's their fault for giving the user a choice. Google requires (some) users to enable 2FA, why can't 23andme?

https://www.tomsguide.com/news/google-forcing-2fa-users

[strken]

Because user aversion to 2FA is often rational. The expected cost of learning how to use 2FA plus risking losing access to your account and not being able to get it back through support is often higher than the cost of having your account compromised.

[chii]

> user aversion to 2FA is often rational.

The account recovery process should be setup at the start of the 2FA setup - e.g., you get emailed a bunch of backup codes (easiest way imho).

The site should not be using their own 2FA app, but use a standard OTP implementation, and let the user use their own OTP app (most people default to google's authy, but there's a couple out there that are common too).

Or, as an alternative, delegate the login to email and use a password-less login mechanism (effectively delegating the account security to the email's security). I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.

[2devnull]

“I argue this is actually more convenient, but some people (esp. young people?) have an aversion to email which i don't understand.”

Uhaul does this and it’s maybe the only good I can say about Uhaul. I think the catch is that some people don’t use email (or much of anything) on their mobile phones. Most will get sms immediately wherever they are at. Not everyone uses email that way.

[shushpanchik]

Emailing backup codes doesn't sound like a good idea. You give the keys to the kingdom to email provider or anyone who would be able to access your mailbox.

[coding123]

But that's only because companies, like google, offer no human support for lost accounts. Somehow I wonder if 100 years from now personal data will be handled by something like a bank. If you lose your password you call your personal data bank - which can get you back online or something like that.

Maybe that's the next big thing - local, personal companies that are your "online power of attorney" that have the right to reset your shit, make claims about your identity. I have no idea. But the current state of things is just a mess.

[2devnull]

It won’t be your bank, it will be google. To some extent it already is.

[faeriechangling]

It's really not man.

Maybe for some irrelevant social media site I can understand doing password-only auth because who cares, but this has your DNA on it. Even if the person who has all their personal information leak doesn't care, they fucked over their entire family. I guess that's not 23andMe's fault though because they were just satisfying a rational user aversion!

Not only that, but the aversion to using methods of logon other than passwords are less rooted in passwords being easy, and more in passwords being STANDARD. Passkeys for instance are faster to use than passwords. The ONLY thing that makes passwords "Easy" is peoples refusal to start using something better because of one-time switching costs and inertia.

[strken]

Plastic cups and discarded napkins also have DNA on them, and yet most people are willing to leave those lying on the table in an airport food court. If an entire family gets "fucked over" by this leak, they're going to get...medically invasive spam?

Which is bad, obviously, but I think everyone is catastrophising it.

[syndicatedjelly]

I really hope this is not the prevailing attitude in software security.can someone from that field please chime in?

[clnq]

Google can do a lot that no one else can. Think of user conversion rates if you require that they install an app and set up some TOTP stuff some never heard about just to access your platform.

[yungporko]

this attitude is why almost all online services are absolutely insufferable to use now and it gets worse every day

[faeriechangling]

Google’s standpoint likely saved many from identity theft given how getting access to the average person’s Google account can compromise half the services they have or more if they’re using gmail.

[toofy]

if they’re hosting sensitive data, it isn’t “babying” the user to take some responsibility for the data your company exists on.

if they can’t take responsibility for it, then they’re too irresponsible to make money it.

it would be entirely reasonable for them to say “we don’t want anything to do with this data, we don’t want to profit from it, we don’t want to use it in anyway, therefor we will not retain it at all.”

babying the user by taking responsibility for the very data they profit from? unreal.

[ipaddr]

Checkout the data in the screenshot. This is not sensitive data. Pretty useful data.

[toofy]

> The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

i would absolutely argue that having my

1) genetic ancestry,

2) full name,

3) date of birth,

etc… is sensitive information.

even removing genetic information, if a company is too irresponsible to catch millions of users info being stolen, then they’re too irresponsible to have that data.

again, either it’s important to your business or it isn’t. if it isn’t important, then refuse to store it.

[ipaddr]

Birthdate/name is not sensitive data nor is a public profile photo. Facebook will display this in a public profile. And you are not getting genetic data. This info is public in other dna sites even if it's private on 23andme

[jchw]

It's not always that clear cut, though; after all, wouldn't this argument apply to e.g. laws requiring seatbelts? One could argue that in this early-ish stage of electronic data, vendors that hold very sensitive data are being irresponsible. Not just about not requiring more secure authentication, but also for pushing less secure authentication like SMS-based authentication factors.

[KRAKRISMOTT]

The car makes an annoying beep beep sound, but it doesn't force the user to use a seatbelt. The onus and responsibility is ultimately on the end user.

[jchw]

The inability of the car to safely enforce this is probably the main reason why this works this way. The responsibility is split, though: cars are required to be designed in ways that discourage or prohibit some unsafe behaviors entirely. Not too different from services requiring 2FA: doesn't mean the TOTP secret is necessarily stored safely.

[ImPostingOnHN]

A friend of mine rented a larger, newer Jeep SUV when in town. It would not go into gear unless seatbelts were buckled. It was awful - not a future I want to live in. I'd rather have the choice than have it made for me in the name of safety.

> Not too different from services requiring 2FA

That is another practice I find awful for the above reason.

[dizhn]

There are cars from the 90s that put the seat belt on automatically when you close the door. It looks awful but it works.

[Tagbert]

You are assuming that all users consider this data to be especially sensitive as opposed to something that your body leaves about wherever you go.

[Clamchop]

This stance is reckless and negligent. Pragmatically, you can be found liable. Ethically, it's cut and dried.

[ApolloFortyNine]

... Do you really believe this? There's countless services out there that don't require 2fa by default. Honestly it's probably easier to list the ones that do.

If you think that means the company can be held liable, I'd honestly start leaking my information on the internet if I were you. You have millions of dollars of lawsuits to go win apparently.

[Clamchop]

I absolutely believe this. If you think your service shall perform no due diligence that it is correct, accurate, and safe, then you have no business providing it to the user, who has little or no knowledge of the domain, which you are selling to them. That is your job, to sell a sophisticated service to someone who would enjoy the benefits but cannot begin to do it for themselves.

If you don't think so, then I think you're beyond reprehensible, and so will the courts. There is no disclaimer that can protect you. Good gravy, this is the easy part.

[wilg]

Passkeys, baby!

[rkagerer]

Give me an implementation I can self-host, without Google, Apple, etc. having effective control (including claws in my relevant software supply chain) and with an easy user experience, where I can maintain secure backups (on my own infrastructure, thank you) and smooth transition to future devices, and ideally, if needed, securely export root keys (cause if I don't control them then someone else owns them), and maybe I'll be interested.

In the meantime plain old high-entropy passwords with a good manager gives me all those features and a simplicity that's hard to beat.

In my 30+ years of computing I've suffered more harm from failures of other companies than I have from any failure of my own diligence. The whole lesson learned is to reduce trust in them and, maybe I'm wrong, but everything I've read about passkeys and the like seems to put me at liberty of the companies developing and pushing the implementations of them down my throat. It will take a lot of trust before I give up my ability to copy/paste my credentials.

[elabajaba]

Keepassxc and bitwarden should both be getting support for passkeys soon. Bitwarden sometime in October (vaultwarden already has support for storing them), keepassxc there's been an open PR for it that's been tested and iterated on for awhile, but I'm not 100% sure how close it is to landing.

[rkagerer]

Thanks! Last time I checked it out the top hit said "Closed as Not Planned". Could you point me to some good details or any article on how it's being implementef (e.g. does it act as a third-party store or something to avoid being locked behind a TPM or whatnot?). Genuinely interested.

[keep_reading]

Try convincing all the anti-passkey folks first

[rsaxvc]

You're not wrong that this wasn't a sophisticated attack. What's disappointing is that it worked well at scale.

> this attack could be done on literally any website. The issue is people re-used passwords, and also did not have 2fa enabled.

While possible to execute at scale on some websites, this type of attack tends to be quite loud on the receiving end once appropriate metrics are selected for monitoring and alerting.

> "We do not have any indication at this time that there has been a data security incident within our systems."

They should probably work on that, given that those systems were used to extract their customer's data, and that they only noticed when their customer's data was being sold.

Given how far behind they are on disclosure I'd guess they may have only found out from media inquiries.

[adameasterling]

Websites should mitigate credential stuffing by checking against known cracked passwords. All you have to do is download Troy Hunt’s hashed password database, check it when someone logs in and if it’s cracked do your email password reset flow. Or you can use their API.

It’s very simple, and I believe has been an accepted best practice since like 2017. This is 100% on 23andme. They are responsible.

1. https://haveibeenpwned.com/Passwords

[2devnull]

This and noticing a bunch of accounts are suddenly being logged into in mass in a way that is obviously an attack. It cannot be hard to detect such an event if you cared to notice. So it’s 100% negligence and 100% the result of putting profits over safety. A terrible management failure.

[bostonsre]

Shouldn't they have noticed that an ip or a set of ips were trying to log into a bunch of different accounts?

[Urgo]

Depends on how they tried to get in. They could have used a large amount of residential proxies to get around this.

[mrguyorama]

If someone is trying to log in to "Account A" from fifty different places, that should be a red flag

[mullingitover]

They're not.

They have a large set of different emails + passwords, and a large set of IPs.

Each IP can check a single set of credentials, so you never get a single IP in a short timeframe with too many login attempts, and never trying to brute force a single account. If the attacker rented time on the botnet for a long enough period, they can fly under the radar for quite a while. 23andme sees lots of failed logins, but no real way to pin it down.

reCAPTCHA would be the answer here. What's interesting/concerning is that it appears Google's reCAPTCHA (assuming 23andme was using it, and they should've been) was defeated.

[hombre_fatal]

Captcha still means you get to do the cred stuffing attack, just potentially more slowly which still doesn’t protect the user.

I think for sensitive data where you want to protect the user, it makes even more sense to just generate passwords for them. It’s even simpler than 2FA. Some online casinos do this.

[mullingitover]

If your attacker is stuck manually passing the captcha time after time, they're probably not going to bother.

The thing that worries me more is the possibility that newer AI tools are allowing attackers to beat reCAPTCHA with automation. If that's the case, a lot of folks are going to be caught with their pants down.

Edit: looks like it's more than a possibility[1].

[1] https://twitter.com/sw33tlie/status/1710409035030122731

[ShadowBanThis01]

And this is why you should never force people to use their E-mail address as a user ID.

[rendaw]

If it was a known leaked database, they should have invalidated the passwords from the database before attackers exploited them.

[Urgo]

While it's probably not a horrible idea to do something like this I don't think any or at least many does this currently? It wasn't a 23andme database that the attacker used, it was just some other random site/sites. So every time any website is hacked should every other website invalidate the credentials of those users on their site too?

[chii]

It is a lot of hassle, and the user isn't really protected because the invalidation relies on public releases of email/password combinations; there's obviously going to be plenty of private releases, which means it's actually just security theatre.

2FA, or passwordless logins, are the solution. Forcing the user to change their password (at the most inconvenient of times - right after they logged in, but before they're able to use the site) is annoying at best, and does nothing at worst.

[eviks]

How is it a theater to save a lot of users, but not all?

[chii]

a theatre is where you have the feeling of security, but you don't really have it in reality.

You cannot claim that just because some users are 'saved' as evidence that this is an effective security measure, because if a password was leaked, and not discovered, then this measure doesn't prevent it. But it is imposing a cost, which cannot be measured against effectiveness.

Change the whole process to 2FA is secure because there's provable guarantees for the costs imposed, and therefore, you can make an objective decision on whether it is worth implementing.

[eviks]

But you do have security, this measure saves actual people in actual reality

> You cannot claim that just because some users are 'saved' as evidence that this is an effective security measure

Why not? Saving people from insecurities is almost by definition a measure of effectiveness

> you can make an objective decision on whether it is worth implementing.

You can't since the value factors in your "provable guarantees" and costs involved are subjective and also depend on the users' characteristics

[trappist]

I hope they encrypt passwords and are unable to do this.

[michaelcampbell]

> Unless I'm reading this wrong all that happened was someone had an existing leaked database of emails/passwords and then tried them on 23andme, and if they worked they took the data they could get.

So... basically exactly what the title says. 23AndMe says user data stolen in a credential stuffing attack.

[teaearlgraycold]

Use a password manager with long, random passwords. Pick your own passwords and you're leaving your door unlocked.

[Kiro]

Good luck trying to convince anyone who is not already using it. I've tried super hard to get my friends and family to use a password manager but they brush it off as a joke. Even when they lose their account it doesn't seem to bother them. They just create a new one. It's a dead race.

[ellisv]

This has been my experience as well. You can even show them that they have been a part of breaches but not even that is motivating enough.

[dewey]

I don't think you have to tell that to people on HN, but regular people will not be able to use most password managers. Not even 1Password is really user-friendly and it's the most mainstream one.

The included one on macOS is hidden in some setting panel.

For non-technical people the best authentication method is probably their phone (Passkeys, or tokens sent to their email address).

[alistairSH]

The included one on macOS is hidden in some setting panel.

As long as you stay in the Mac/iOS walled garden, you really don’t need to access the Settings page/app. Safari and most apps will happily pull the user/pwd from the manager for you. I’ve used for a few years now (after tiring of the mediocre UX of several other managers).

[randerson]

Most (all?) major browsers now have built-in password managers which are intuitive enough for regular people and provide sufficient security against these attacks.

[dewey]

And yet, passwords get guessed, stolen, re-used all the time. If you talk to regular people they still use pet names + a number because they want to be able to type it in everywhere.

It's not a solved problem, even if a rudimentary password manager is in most browsers.

Personally I don't know a single person outside of my tech bubble that uses passwords that you can't keep in your head, or write down on a piece of paper on their desk.

[hunter2_]

There's a simple trick to having a password that's easy to type, easy to remember, and is pretty darn secure: repetition. Just take your pet's name or whatever, type it several times, and then finish it off with a number or whatever. Should be resistant to typical dictionary and brute force attacks.

[dewey]

And you already identified the main problem with this strategy: "repetition".

As it's not possible to remember n passwords for n sites, if one of them gets hacked "darn secure" isn't so secure any more. The main point of password managers is that you don't have to remember your password and if it leaks out on one site, it doesn't matter as it's only used on that one site.

[sib]

In this case, unfortunately, at least as it's being described publicly, your detailed information was at risk if someone you are (even distantly) related to failed use a long, random, unique password.