[somsak2]

Even if this is the case, 23andMe should have done better here. Why are you letting people log into an account from a brand-new IP with no additional verification? You have their email, you could have at least done 2FA with that. And as other commenters mentioned, CAPTCHA would have also made this slower / more expensive. At my employer, we use both, and so it is not the case that this "could be done on literally any website."

For such a mature business (that is publicly-traded, no less!) it is shameful to allow credential stuffing on the scale of millions of accounts.

[codetrotter]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Is that really feasible today? With widespread use of phones and laptops, most people probably have at least a handful of different IP addresses they regularly use (home WiFi, work WiFi, cellular connection) and then they randomly connect from new up addresses like those from libraries, coffee shops, commute, etc

I think most “normal” apps and websites today allow any random IP to log in without jumping through extra hoops.

Only companies with big budgets (Apple, Google, etc) make regular users jump through extra hoops.

Banks, B2B have users that need extra hoops as well.

But 23andMe. I would not expect them to take any extra steps.

[dash2]

23andme isn't just any small company. They process people's DNA! It's about as personal information as you can get. And the stolen data included information about people's genetic ancestry. They should have very high-class security practices.

[dubcanada]

General question, but let’s say they get your genetic ancestry information. What could you do with that?

[2devnull]

Researchers and scientists could do a lot with such data. A tyrannical government would find many uses in furtherance of their repressive tactics. Blackmailers can find high profile targets where genetic linkages have been obscured by births out of wedlock, incest, etc… Strange question. Data are valuable, it’s like most of our economy at this point.

[dubcanada]

But you already agree to let 23andme send your data to "research" partners. I can understand the blackmailer, but even that is a bit of a stretch. I just don't see what damage could be done, which is why I asked the question. If a tyrannical government wants DNA of its citizens, it could just force it. I doubt they would go buying it online with bitcoin.

[joenot443]

> A tyrannical government would find many uses in furtherance of their repressive tactics.

Strange answer. What do you actually mean by this? "furtherance of their repressive tactics" can mean just about anything - which government are you talking about, and which tactics?

[RunningDroid]

> Strange answer. What do you actually mean by this? "furtherance of their repressive tactics" can mean just about anything - which government are you talking about, and which tactics?

Any government with racist tendencies might make use of this data and decide someone has $GENE which is primarily seen in $ETHNIC_GROUP so should be treated as poorly as the government treats $ETHNIC_GROUP

[sfmike]

Please don't make this normal it's absolutely tiresome to get codes for every single task

[Aachen]

Or include a setting for users that used a unique password.

When, five to ten years ago, everyone started sending email conformations "is this really you??" when logging in with the correct username and password on the first try, I always contacted support if that can be turned off. I figured the only way they were going to know it's a pain is if people complain. I have yet to learn of the first site where this is actually a choice...

Come to think of it, why haven't I made a Thunderbird plugin yet that recognises these emails and either sends the code to the browser or autotypes it. The credentials are filled in automatically, why not also their stupid email? Does this exist already?

[andylynch]

I think most sites doing this use SMS codes, and they works really well on mobile. If they are sending an email it’s more likely to be a magic likely with no password at all.

[Aachen]

You don't use twitter, github, amazon, spotify, steam, discord, etc.? Maybe that you can turn on SMS instead of email, but sending people emails for every login is the default for those.

The only ones requiring an SMS for me are organisations with a bank license, which are obviously a minority of all the services out there.

(Fwiw, I avoid all of the above besides Spotify, but a lot of code happens to be on github, audio books are invariably ~3x cheaper on amazon compared to buying from the publisher directly, many game developers insist that you let steam take a cut and don't let you buy it from them directly... that's how come I know these things all insist on sending emails.)

[jimmydddd]

Every time I log into my Chase acccount, it thinks I'm logging in from a new computer. Every single time. Nope, I've had the same computer for 3 years.

[codetrotter]

Is your browser set to clear cookies when you close it?

[nojvek]

Many sites like Google including my banking sites send me an email when a new IP / location is used for login.

This alerts if there is a sudden login without my knowledge and one click to disable.

23&me could have definitely done that to alert logins.

It is 100% on 23&me even though used id/passwords were used.

Genetic data is by definition extremely personal.

[est31]

It's exposed as "new IP" to the end user but it hides a lot of logic about ISP IP address pools for specific regions, behaviour of other devices, etc. For someone like Google, that's easy to pull off, as a lot of people use it, and people use it daily. But it's harder to get this technology for someone like 23andMe where people log in less often, and its product has low penetration of internet users.

[riffraff]

Just do it all the time then? If it's infrequent it's also not much of an hassle.

GoG and Steam do "email 2fa" and while it's annoying they do it anyway as they are a "risky" target, IIUC.

[codetrotter]

> Many sites like Google including my banking sites send me an email when a new IP / location is used for login

All of whom I already mentioned in the comment you are responding to

[chii]

2FA would've prevented those logins. I think sites should very much start mandating 2FA imho.

[malux85]

Drop a cookie in their browser and 2FA them if the cookie is not present. It's much less likely the attacker will have the users credentials AND cookies, so this raises the bar for the attacker without annoying the user too much.

[ricksunny]

Yes and people travel too. Even outside national borders sometimes, a prospect which my experience of having to use vpns to log into my payments apps demonstrates is somehow shocking to product managers driving cybersec policies in these companies.

tl;dr: logging in from an ip address of a strange faraway country should not be its own security flag. /endrant

[thfuran]

>and then they randomly connect from new up addresses like those from libraries, coffee shops, commute, etc

And most of the regularly used networks probably aren't using a static IP anyways.

[faeriechangling]

I have to agree.

Why blame the users for a broken by design security model like password auth? Credential stuffing attacks are a known weakness. We cannot reasonably expect everybody to take precautions against them.

I've just become very irate at how people implement absolutely absurdly bad security and people just blame users when the inevitable happens. These attacks have happened for decades. It's not the fault of the users.

[tgsovlerkhgsel]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Because having to play a game of "Simon Says" every time I try to log into an account pisses off customers.

Humble Bundle, for example, lost several sales because you can't even buy a game for an e-mail address that has an account without logging into the account, which requires not just the password (stored in my password manager that I may not have with me everywhere I have my credit card), but also logging into my e-mail and clicking a link.

The EU has decided to force banks and payment providers to implement this nonsense because companies like e.g. PayPal decided to rather eat the cost of non-prevented fraud than putting an extra barrier in front of users and losing the users to competitors (by forcing everyone to do it, they prevented companies from competing on this aspect of UX).

[morsch]

This story about genetic data and other sensitive health data being leaked doesn't really make the case for letting the market solve this particular problem without onerous regulations.

I suppose massively increasing the liability would solve the problem by doing a little of both.

[averageRoyalty]

Private companies should not be holding such data regardless, so the point becomes moot.

[eviks]

Because many people change IPs all the time between devices and such, and it's a user hostile practice to ask for an email code on login

Instead they could've monitored the password leaks to see if those got exposed

[faeriechangling]

You can scrape email/sms for codes automatically and add them to the clipboard or autofill, and what does user hostile even mean? User hostile is losing all of a users data because you were more concerned with customers liking how easy your service is to use than you were about ensuring your service didn't hurt them.

You can do better than email/sms, especially sms, but they're transitionary technologies. I login to way more things than most people do way more often. I don't use password authentication alone unless it's literally my only option.

[eviks]

> You can scrape email/sms for codes automatically

IF they arrive right away, which isn't guaranteed for either method Also, do you seriously suggest every single user to set up some kind of x-platform scraping service (how would you scrape an SMS code to a computer's clipboard)???

"user hostile" means that you impose a cost on users without consent and in many cases without benefit

> I don't use password authentication alone unless it's literally my only option.

That's fine, but this isn't a conversation about you. I'm fine with a high-entropy auto-generated password for a huge bunch of services

[faeriechangling]

Reading passwords from SMS is already in Android and iOS, passwords from emails is in iOS (with mail). For that matter, there is no reason TOTP codes can’t be autofilled along with your username/password. The tooling around this stuff keeps getting better and more widespread because it’s getting more prevalent.

>How would you scrape an SMS code to a computer’s clipboard

https://support.apple.com/en-us/guide/safari/ibrwa4a6c6c6/ma...

There’s no technical reason this same idea can’t work with every OS.

>impose a cost on users without consent

We have 1.3 million people who had their personal information leaked by an anti-Semite. More people are impacted by the breach in privacy than just the people who reused their passwords. The level of security was not appropriate to the context. Forcing costs on users can be good when said users are handling sensitive PII.

[eviks]

> The tooling around this stuff keeps getting better > There’s no technical reason this same idea can’t work with every OS.

And until it gets to good and working on every OS you have no argument

> Forcing costs on users can be good when said users are handling sensitive PII.

No it can't, why do you think you can impose your personal oversensitive value judgements re. PII on every single user???

[mnd999]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

The opposite is the bigger WTF, why are the letting so many different people log in from the same IP at the same time. That’s a red flag on every fraud detection system I’ve seen. Not to mention there would be may failed logins for different accounts which is also a pretty strong warning.

[mxmlnkn]

Because some people don't get a static IP from their ISP and they don't want to go through e-mail verification every day. At this point, some sites require this workflow from me:

    1. Solve CAPTCHA for log-in form
    2. Log in with valid password
    3. Open E-Mail client, maybe even log-into your e-mail with the same workflow if not done yet
    4. Verify the IP via E-Mail 
    5. Surf to website log-in form again
    6. Solve CAPTCHA for log-in form again
    7. Log in again with a valid password
    8. Verify with 2FA code

Thanks, I hate it. It feels like step 1 to 7 could be skipped.

[jstanley]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Because they knew the password! That's what passwords are for. Please don't try to make life any more difficult for your users than it has to be.

[ShadowBanThis01]

Forcing people to use an E-mail address as a user ID is so amateur-hour that I don't even know where to begin dismantling it. You don't see banks or brokerages doing this.

Why is it so dumb? Because the vast, vast majority of people have no idea how any of this shit works. So, when a company demands that you sign up with your E-mail address and enter a password, a great many people are going to think they have to use their E-mail password too. This makes every one of these sites a gatekeeper to its users' E-mail accounts. If their security practices suck and they're hacked, or a disgruntled employee steals their records, or whatever... now a ton of their users' E-mail accounts are open for mining.

The failure to think this obvious scenario through is appalling. It's also appalling to see companies like Apple perpetrating this stupid behavior, especially AFTER the fact. Apple IDs originally did not have to be E-mail addresses. And later on, they did not have to be FUNCTIONING E-mail addresses. Now they've regressed all the way and they have to be both. And so Apple, per its usual M.O., has had to tack on various extra measures since then to try to shore up security.

In case you couldn't tell, I absolutely detest this policy.

[averageRoyalty]

> Because the vast, vast majority of people have no idea how any of this shit works.

Then don't let them use it. We don't let people drive who don't know how to safely operate a car. We don't let people make food in commercial kitchens without training. We let users run free with no knowledge, then build systems to stop them from hurting themselves, it's absurd.

[spacebanana7]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Loosening this requirement to new country / carrier would make life easier for users at small cost to security.

[aetch]

Because IP addresses change frequently. I’m much less likely to use websites that require me to wait for a code in my email each time I use them and I don’t think I’m in the minority. Email/SMS codes are a useless checkbox in the security audit that companies need to stop implementing.

[BenjiWiebe]

A friend of mine lost access to an email account of theirs, even though they remembered the username and password, since the IP address changed and the recovery methods weren't accessible any more (old phone number).

[bboygravity]

That website sounds like a lot of fun to use for people who travel (and often have a new IP).