[codetrotter]

> Why are you letting people log into an account from a brand-new IP with no additional verification?

Is that really feasible today? With widespread use of phones and laptops, most people probably have at least a handful of different IP addresses they regularly use (home WiFi, work WiFi, cellular connection) and then they randomly connect from new up addresses like those from libraries, coffee shops, commute, etc

I think most “normal” apps and websites today allow any random IP to log in without jumping through extra hoops.

Only companies with big budgets (Apple, Google, etc) make regular users jump through extra hoops.

Banks, B2B have users that need extra hoops as well.

But 23andMe. I would not expect them to take any extra steps.

[dash2]

23andme isn't just any small company. They process people's DNA! It's about as personal information as you can get. And the stolen data included information about people's genetic ancestry. They should have very high-class security practices.

[dubcanada]

General question, but let’s say they get your genetic ancestry information. What could you do with that?

[2devnull]

Researchers and scientists could do a lot with such data. A tyrannical government would find many uses in furtherance of their repressive tactics. Blackmailers can find high profile targets where genetic linkages have been obscured by births out of wedlock, incest, etc… Strange question. Data are valuable, it’s like most of our economy at this point.

[dubcanada]

But you already agree to let 23andme send your data to "research" partners. I can understand the blackmailer, but even that is a bit of a stretch. I just don't see what damage could be done, which is why I asked the question. If a tyrannical government wants DNA of its citizens, it could just force it. I doubt they would go buying it online with bitcoin.

[joenot443]

> A tyrannical government would find many uses in furtherance of their repressive tactics.

Strange answer. What do you actually mean by this? "furtherance of their repressive tactics" can mean just about anything - which government are you talking about, and which tactics?

[RunningDroid]

> Strange answer. What do you actually mean by this? "furtherance of their repressive tactics" can mean just about anything - which government are you talking about, and which tactics?

Any government with racist tendencies might make use of this data and decide someone has $GENE which is primarily seen in $ETHNIC_GROUP so should be treated as poorly as the government treats $ETHNIC_GROUP

[sfmike]

Please don't make this normal it's absolutely tiresome to get codes for every single task

[Aachen]

Or include a setting for users that used a unique password.

When, five to ten years ago, everyone started sending email conformations "is this really you??" when logging in with the correct username and password on the first try, I always contacted support if that can be turned off. I figured the only way they were going to know it's a pain is if people complain. I have yet to learn of the first site where this is actually a choice...

Come to think of it, why haven't I made a Thunderbird plugin yet that recognises these emails and either sends the code to the browser or autotypes it. The credentials are filled in automatically, why not also their stupid email? Does this exist already?

[andylynch]

I think most sites doing this use SMS codes, and they works really well on mobile. If they are sending an email it’s more likely to be a magic likely with no password at all.

[Aachen]

You don't use twitter, github, amazon, spotify, steam, discord, etc.? Maybe that you can turn on SMS instead of email, but sending people emails for every login is the default for those.

The only ones requiring an SMS for me are organisations with a bank license, which are obviously a minority of all the services out there.

(Fwiw, I avoid all of the above besides Spotify, but a lot of code happens to be on github, audio books are invariably ~3x cheaper on amazon compared to buying from the publisher directly, many game developers insist that you let steam take a cut and don't let you buy it from them directly... that's how come I know these things all insist on sending emails.)

[jimmydddd]

Every time I log into my Chase acccount, it thinks I'm logging in from a new computer. Every single time. Nope, I've had the same computer for 3 years.

[codetrotter]

Is your browser set to clear cookies when you close it?

[nojvek]

Many sites like Google including my banking sites send me an email when a new IP / location is used for login.

This alerts if there is a sudden login without my knowledge and one click to disable.

23&me could have definitely done that to alert logins.

It is 100% on 23&me even though used id/passwords were used.

Genetic data is by definition extremely personal.

[est31]

It's exposed as "new IP" to the end user but it hides a lot of logic about ISP IP address pools for specific regions, behaviour of other devices, etc. For someone like Google, that's easy to pull off, as a lot of people use it, and people use it daily. But it's harder to get this technology for someone like 23andMe where people log in less often, and its product has low penetration of internet users.

[riffraff]

Just do it all the time then? If it's infrequent it's also not much of an hassle.

GoG and Steam do "email 2fa" and while it's annoying they do it anyway as they are a "risky" target, IIUC.

[codetrotter]

> Many sites like Google including my banking sites send me an email when a new IP / location is used for login

All of whom I already mentioned in the comment you are responding to

[chii]

2FA would've prevented those logins. I think sites should very much start mandating 2FA imho.

[malux85]

Drop a cookie in their browser and 2FA them if the cookie is not present. It's much less likely the attacker will have the users credentials AND cookies, so this raises the bar for the attacker without annoying the user too much.

[ricksunny]

Yes and people travel too. Even outside national borders sometimes, a prospect which my experience of having to use vpns to log into my payments apps demonstrates is somehow shocking to product managers driving cybersec policies in these companies.

tl;dr: logging in from an ip address of a strange faraway country should not be its own security flag. /endrant

[thfuran]

>and then they randomly connect from new up addresses like those from libraries, coffee shops, commute, etc

And most of the regularly used networks probably aren't using a static IP anyways.