Those users signed up for a service with poor security controls (no 2FA, no requirement to rotate passwords at regular intervals) and then checked a box saying "share my data with other accounts."
So while I agree with you that those users are not responsible for the accounts that were actually compromised, they were fully responsible for sharing their data on that service without fully thinking the implications through. 23andMe is not blameless--it's their poor security controls that allowed it to happen in the first place--but I strongly feel people do not take security and privacy as seriously as they should and as a result do share at least some of the blame.
Is that true though? I agree they're annoying and in an ideal world where users don't reuse passwords or leaked hashes can't be broken they'd be pointless--but in this case I think it certainly would have protected at least some of the accounts that were reusing breached passwords. Is there actual evidence/research that proves password rotation has no effect on security in the event of breaches?
>in sum, these security-specific observations and the results in Section 3 suggest the security benefit of password aging policies are at best partial and minor. Combining this with the well-known and widely experienced (negative) usability impact of password aging policies, and results [18] mentioned earlier on high predictability of new passwords from knowledge of old, the burden appears to shift to those who continue to support password aging policies, to explain why, and in which specific circumstances, a substantiating benefit is evident.
>Although change regimes are employed to reduce the impact of an undetected security breach, our findings suggest that they reduce the overall password security in an organization.
There have been several more, and I'm sure that NIST and others did their own additional analysis prior to changing their recommendations which may not have been made public.
Fair enough. Seems like the conclusions drawn are not that it doesn't improve security, rather it does not improve security enough to justify the added burden to users and support staff.
I'd venture that this 23andMe situation is one of the scenarios where password expiration could have significantly improved the outcome, but I concede that it was a poor example for me to use.
So while I agree with you that those users are not responsible for the accounts that were actually compromised, they were fully responsible for sharing their data on that service without fully thinking the implications through. 23andMe is not blameless--it's their poor security controls that allowed it to happen in the first place--but I strongly feel people do not take security and privacy as seriously as they should and as a result do share at least some of the blame.