The company apparently sees these leaks not as a data breach, but as a violation of site rules. Well, I'm taking on a bit of the role of enlightening the public then; If the source of the leak is solely "credential stuffing attack," why haven't you taken measures against it even in 2023? There's only one login service on web and mobile platforms; why didn't you use captcha, turnstile, etc., there? Despite knowing that the user:pass data of 92 million users of MyHeritage, where many of your joint common members, including your CEO, are known to be, has been circulating for years, you took no action.

What's worse, there's no need for email verification even for a user to download raw data. Additionally, you don't necessarily have to download to obtain raw data. There are three different methods possible to take raw data directly from the db without downloading it. Is it the members' fault if your sense of security is terrible? What a foolish defense!

To extract data in this way from 14 million people, at least 100,000 credentials are needed because most members have common relatives. How did you not notice that 100,000 of your customers' accounts had been accessed? How did you not detect this while millions of data belonging to other users were being scraped? Why didn't you define a rate limit rule based on endpoint or parameter?

Suppose I did scrape profiles through the hacked accounts in the shared relatives list. But what about other vulnerabilities?