There seemed to be an awful lot of time gone on the 23andMe credential stuffing situation this week, but I think it strikes a lot of important chords. We're (us as end users) still reusing credentials, still not turning on MFA and still trying to sue when we don't do these things. And we as builders are still creating systems that allow this to happen en mass. All that said, I don't know how we build systems that are resilient to a single person coming along and entering someone else's (probably) reused credentials into a normal browser session, at least not without introducing additional barriers to entry that will upset the marketing manager. And so, I'm back at the only logical conclusion I think we can all agree on right now: it's a great time to be working in this industry 😊
References
- Sponsored by: Online fraud is everywhere. Secure your finances and personal info with Aura’s award-winning identity protection. Protect your identity now.
- 23andMe has been getting hammered in a credential stuffing attack (as I always say, defending against this is a shared responsibility: individuals need to work on their account security hygiene, and websites need to expect and defend against this sort of thing)
- And now they're getting sued in a class action, a mere 4 days after the event 🤦♂️ (someone really should write a blog post about how stupid this is...)
- ...here's a blog post about how stupid class actions like this are! (when I'm getting lawyers asking me to advertise their class action suits on HIBP, you know damn well who's getting rich out of all this, and it ain't the plaintiffs)
- The Bureau van Dijk data breach is now in HIBP (we should be asking a lot more questions about why data aggregators collecting this sort of info still exist)