Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not gonna bother responding to the turfer comments in this thread but they're roughly analogous to saying "because you use facebook it is therefore your fault when facebook leaks your data because you voluntarily shared that data with facebook."

Legally, logically, and ethically this is an absurd argument on its face.



To borrow your analogy, though, Facebook (23andMe) didn’t leak anyone’s data. That’s the issue with your position.

Also, the turfer comment makes you seem like a conspiracy theorist. There’s nothing untoward or off about the replies you’ve received so far that is off enough to suggest astroturfing.


Who did then? It happened on their site, they had the means to control/monitor/mitigate it. Are you saying then that if someone hacks into facebook, steals data, it is then not facebook's responsibility that that happened because they didn't publish the data?

Even the backwards cybersecurity laws in the US don't work that way.


I think you’re misunderstanding what happened in this situation. Nothing was stolen from 23andMe and no 23andMe accounts were “hacked into”. The “hack” happened on another site and the hacker got a database leak of usernames and passwords for that site (not 23andMe). Some of the users of that site used the exact same email addresses and passwords for their 23andMe accounts.

If you use “Hunter2” as a password for all of your accounts and AOL gets hacked, the hackers know your password is “Hunter2”. If they get into your Facebook or Gmail account because you also used “Hunter2” there, that is neither Facebook’s or Gmail’s fault. It is your own fault.


So now we're playing a semantics game about what the word "hack" refers to in this context? users gained unauthorized access to 23andMe and used that access to get access to data, and 23andMe had full control of mitigating, monitoring, and preventing this type of attack. Is that better? Doesn't really change my salient point at all.

In your example the site is fully capable of preventing weak passwords or enforcing things like MFA that make this type of attack a lot less effective. It may surprise you to know that most websites already do this!


No, we're not playing a semantics game. The access wasn't "unauthorized" if the person that "hacked" it was using the person's right email and password. MFA was also available and the hacked accounts did not have it enabled. It's not 23andMe's fault that users reused passwords and chose not to enable MFA. This isn't about weak passwords or passwords that were known to be leaked on sites like HaveIBeenPwned. Was there more they could have done? Of course. Is it their fault? Absolutely not. Are they liable in any sort of legal sense? Absolutely not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: