• Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    4
    ·
    3 months ago

    Seems like a paltry amount, given what savvy social engineers could do with that data.

    If you don’t use proper security practices, you should be on the hook for prison time at a minimum.

    • douglasg14b@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      edit-2
      3 months ago

      It should be $0 because this was a credential stuffing attack (Using breached passwords people reused), and affected people who knowingly shared their data with other people.

      23&me didn’t leak data, they didn’t have any database breaches, their infrastructure wasn’t compromised due to negligence…etc The majority share of negligence is in the users here.

      Yes, they should have MFA, but also no, most sites and services don’t force you to use MFA to begin with, and that’s not a regulatory requirement anyways.

      This is, for the most part, the fault of the folks using terrible security practices such as refusing passwords and sharing their data with other users. And this is a shitty precedent to set where the technical reasons for this event are thrown out the window in favor of the politics of it.

      • Telorand@reddthat.com
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        3 months ago

        Who would I jail? The C-officers. Your shit show, your responsibility. If you can’t trust your employees, figure out why or do the work yourself.

        • gsfraley@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          3 months ago

          I’ve always been hugely in favor of it. It’s the one change that could maybe justify their gargantuan salaries – if your company causes harm and suffering, the leaders absolutely need to be put on the hook.