I absolutely have an axe to grind against consumer harm incurred by lazy and/or negligent technology companies (all companies, really, just scoping for this convo). Guilty as charged. When good behavior is not forthcoming, spin up regulators and the legal framework.
EDIT: I do not believe this is an unreasonable position to take. Years ago, I interviewed with the CTO of 23andme and almost took an infra job there (comp too low) ~12 years ago. I am a customer. I have mostly good things to say about them as an org. That is not a free pass when you do harm. Do better, it is not hard.
It’s not lazy or negligent on the part of the website when they offer additional security and users choose not to use it. 23andMe asks multiple times for users to set up 2FA and apps like 1Password and Bitwarden recognize that it’s available and prompt users to set it up.
It is when those users' passwords unlock not just their own data, but that of millions of other users as well.
Alice could have set up 2FA and adhered to all the best practices, but she still got her data stolen because Bob used "hunter2" and was hacked.
14,000 accounts compromised, 7 million users' data taken. There's no way 23andMe should be able to offload their responsibilities to Alice's cousin Bob.
That's not what happened. The 7 million users didn't have their data stolen. The compromised accounts had access to data that those users opted-in to share with those accounts.
Imagine that you have a bank account and you share access to it with a family member. If they use "Password1" for their password and someone gets into their account and then, by extension, has access to whatever level of access you've provided them to your account, is that the bank's fault? Is it yours? Is it your family member's?
Your analogy doesn't fit here. There is no scenario where accessing the accounts of 14,000 banking clients would then blow up to several million clients' accounts. Any bank that even offered this "feature" would, yes, be at fault.
There seems to be some transitiveness going on here. Let's go with the banking scenario: I give my son access to my checking account, and I also give my business partner access. My son is a dumbass, and uses the same password for everything. Now my business partner's info is taken. His parents get hacked as well.
From 14,000 to 7,000,000 is quite the amplification. That's on 23andMe and nobody else.
The analogy does fit. You're just mischaracterizing it. To continue on with your example, that's not what happened with 23andMe. If you gave your son access to your checking account via some account info sharing feature and someone gets access to his account, they have access to the same accounts he does and only those. Your business partner's info is safe unless he also shared his account with your son and his parents' info is safe unless they also shared with him.
The only info that was available form the 7 million accounts was specific info that they chose to share with the other account. If they chose to share everything, then everything would be available. 23andMe can't prevent their users from being idiots.
> The new NIST recommendations mean that every time a user gives you a password, it’s your responsibility as a developer to check their password against a list of breached passwords and prevent the user from using a previously breached password.
This assumes the breached password occurrence was known in advance and, from what I have read so far about this, was not the case with the 23andMe accounts.
You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.
I agree that is a good idea, but that doesn't lay the blame of this so fully at their users' feet. This won't always catch password reuse attacks (now called "credential stuffing", I think), and is only a partial mitigation.
EDIT: I do not believe this is an unreasonable position to take. Years ago, I interviewed with the CTO of 23andme and almost took an infra job there (comp too low) ~12 years ago. I am a customer. I have mostly good things to say about them as an org. That is not a free pass when you do harm. Do better, it is not hard.