Hope this isn’t a repeated submission. Funny how they’re trying to deflect blame after they tried to change the EULA post breach.

  • JohnEdwa@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    11 months ago

    You didn’t read it either. They gained access to shared information between the accounts because both accounts had enabled “share my info with my relatives” option.

    Logging into someones Facebook and seeing their friends and all the stuff they posted as “friends only” and their private DM discussions isn’t a hack or a vulnerability, it’s how the website works.

    • sudneo@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      11 months ago

      It doesn’t matter. It is a known attack and the company should have implemented measures against it.

      At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.

    • sudneo@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      11 months ago

      It doesn’t matter. It is a known attack and the company should have implemented measures against it.

      At the very least, they should have made a threat modeling exercise and concluded that with this sharing feature, the compromise of a single account can lead to compromise of data for other users. One possible conclusion is that users who shared data should be forced to have 2fa.

    • Hegar@kbin.social
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      edit-2
      11 months ago

      Laughing a feature that lets an inevitable attack access 500 other people’s info for every comprimised account is a glaring security failure.

      Accounting for foreseeable risks to users’ data is the company’s responsibility and they launched a feature that made a massive breach inevitable. It’s not the users’ fault for opting in to a feature that obviously should never have been launched.