[y0ssar1an]

if it was truly a credential stuffing attack, then there's a shared responsibility between users and 23andme. 23andme is responsible for not enabling 2FA. the users are responsible for reusing passwords.

to me, the takeaway is that we need to roll out passkeys as quickly as possible.

[eli]

Even if they didn't want to do 2FA for whatever reasons, there are things they could have done like checking password hashes against breaches.

[Beldin]

The service requires authentication, but then does not take the obvious steps (industry mediocre(1) practices) to ensure widely known problems with authentication are mitigated - let's not blame regular people for the failure of this service to secure their accounts.

(1) the bar to do better is quite a bit below "best practices".

[yreg]

2FA was enabled, just not mandatory.

[bilekas]

11k people due to credential stuffing is not a dent in the 6+ million though. It's a disingenuous argument.

Not only that but they're should have been far better protected against even poor password management by users given the type of sensitive information they're handling.