Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

    • Adalast@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      10 months ago

      From what I’m seeing, the hackers used the weak password accounts to access a larger vulnerability once they were behind the curtain. The company I work for deals with sensitive proprietary data daily and we are keenly aware that individuals should never have an opportunity to access the information if any other user. Things like single-user quarantining of data blocks are a minimum for security. Users log in and live on their own private island floating in a void. On top of that use behavior tracking to detect access patterns that attempt to exit the void and revoke credentials. That is also not even remotely mentioning that you have a single point of access entering thousands of accounts. That on it’s own should be throwing enough red flags to pull down the webserver for a few minutes to hours. There is a lot they could have done.

      • JohnEdwa@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        10 months ago

        It wasn’t exploiting a vulnerability, they gained access to other peoples data because the site has a deliberate feature to share your data with your relatives if both have allowed that. That’s why the term used is “scraped”, they copied what the site showed.
        When someone logs in to a Facebook account, it’s not a vulnerability that they can now see all of the info their friends have set to “friends only”, essentially.

        Also they used a botnet so the login attempts weren’t suspicious enough to do anything about - they weren’t brute forcing a single user multiple times, but each trying once with the correct password.

    • psud@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      Yes, one of those “confirm it’s you” emails. They’re less intrusive than regular 2FA, and are only needed when a user logs in from a machine without the right cookie

    • pflanzenregal@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      10 months ago

      Hello, as I said, it’s about “security by design”, which means to design a system that ‘doesn’t allow for insecure things’ in the first place. Like a microwave oven doesn’t operate when the door is open. IT-/cyber-security is a complex field, but 2FA is a good place to start, regarding user facing services. There are lots more things than that of course.