23andMe responds to breach with new suit-limiting user terms The saga of 23andMe's mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts. In an update on Tuesday to a blog post sharing details of the attack, 23andMe said the breach, first reported in …
They'll need to - they won't be able to apply the new T&C if they didn't follow their own policy. That'd get shredded by any lawyer in court.
The whole "send the email and gamble they don't send an objection" trick is far more likely to work in aggregate, even if a few savvy folk spot the problem.
Plus the lawyers will have a field day with working out if this is even legit in all the numerous different jurisdictions.
As for over here? Well as I understand it, in France, mandatory arbitration is only for non-domestic/consumer contacts (if both parties agree) and it must be separate to the main contact (thus allowing one the option to disagree without breaking the main contact). I think Germany is stricter in this respect, and I suspect both country's legal systems would frown upon something inserted into a contract that appears designed to impede a person's access to legal remedies.
However, as always, lawyers are expensive and looking stuff up in Google will get you a bunch of answers that contradict each other. ;) So don't assume this even remotely resembles legal advice.
That whole (extremely long) dispute section is just an indictment on US consumer laws. It's a series of hoops to jump through which are clearly discriminatory and designed purely to impede the consumer's ability to take legal action. Of course any well run company will put such a system in place if they can get away with it.
The equivalent section in 23andme's European TOS pretty much just says: Let us know if you have any complaint but your statutory rights aren't affected so go to court if you must, whatever.
https://www.23andme.com/en-gb/legal/terms-of-service/#dispute-resolution-arbitration
Credential stuffing. Same UserID and password. Same password because the user is lazy. Same UserID because sites insist on using email address for that and most users only have one. The reused password is irrelevant (the password's being weak is a separate matter) if the site issues arbitrary UserIDs. Email address as UserID is the gift that keeps giving - for the criminals.
You would prefer a unique userid, and so would I, but not so for the average customer, who uses the same password whenever possible. Don't forget, at the point of account creation the customer has _not yet paid_. The short attention span folks would click away in a heartbeat if asked to choose a userid. And if offered an arbitrary generated userid, that's just one more thing to forget.
"What's your userid?"
"I don't know."
"What's your email address?"
You and I probably come at this from different directions. Mine is one where, in addition to spending about half my working life in IT, I spent another third investigating crime whilst fully aware that investigation was a poor second to prevention.
We know that many people will use the same password, don't we?
We know that many people have only one email address, don't we?
Is it a good idea to help save users from themselves?
Maybe you'd answer "no" to the last one although a moment's thought should tell you they'll blame you if something like this happens to them. However, if we answer "yes" what steps can a system designer do to implement this?
One is to insist on a strong password and hope they don't use the same password elsewhere; if they have trouble remembering a password they'll probably reuse it, even if it is a strong one so that doesn't necessarily protect them at all so you can't be sure it will be unique.
Another is to use 2FA. That's a pain if the text is sent to a phone with a flat battery (a common state of mine) or takes an age to arrive for some reason (been there too). That's failing your requirement of making it easy for the customer to pay. What's more it has its own set of problems. It becomes a problem if the phone is lost or stolen, especially if there's information on there which indicates which site the owner uses. If that happens to your phone you should quickly realise that you are no longer you; whoever has hold of your phone is now you. And if as a site operator you use a third party to handle the 2FA you've just increased your chances of a supply chain attack.
You could try checking Have I Been Pwned to see if the credentials are there, warn the user if they are and insist on a different password. It's not 100% as the combination could have been stolen but not made its way there and even if it hasn't been stolen yet it's still lousy forward security.
So it comes down to not trusting the user to use a unique password nor to choose a unique user name if asked but to simply assign an arbitrary account code and rely on the miniscule probability that the user doesn't have the same one elsewhere. There's nothing stopping you taking an email address as well - you'll probably need it anyway - but just realise it makes a crap user ID for anything other than the user's email.
My personal preference is a unique email address for anything that matters and a set of random characters generated by Keepass and stored there. For anything that doesn't matter they get the current email address for things that don't matter which will get replaced after a few weeks or months.
"A user ID is supposed to uniquely identify the user. It's not supposed to be an extra password. So email address is perfect for that."
If the string representing the user is not unique to the user/password combination as well as unique on the particular system then it isn't unique. And therein lies the problem.
I'd have thought that you should not draw attention to yourself. Expired or no car rego plates would be one thing I'd remedy before running off with the loot. It's also how McVeigh got arrested after he decided to blow up Oklahoma City.
Running into the cop cars out the front of the cop shop in a van full of meth is also a good practice to avoid.
https://www.smh.com.au/national/nsw/man-jailed-after-crashing-into-police-cars-with-260kg-of-drugs-in-van-20200911-p55utc.html
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
