|
|
|
|
|
|
by hazmazlaz
883 days ago
|
|
|
Yes, this is exactly what could have been (and in my opinion, should have been) done to prevent this kind of "credential stuffing" attack. By taking known corpus of exposed passwords and comparing the hashed values against existing user password hashes, the company could have proactively locked accounts and forced password resets for users who had previously chosen weak passwords, and prevented new weak passwords from being chosen as well. This is quickly becoming an industry standard practice, and 23andMe likely knows that and is trying to make the argument that it's not their problem and has nothing to do with them (wrong). |
|
|