[Slapshot_gd]

> “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures”

In all honesty, you can hardly make this claim unless they properly communicated and mandated (at least in writing, since I can't imagine how it could be actually enforced) that users chose/pick passwords different from other platforms. Or at the least enforce an aggressive password change schedule, etc...

[ziddoap]

>at least in writing, since I can't imagine how it could be actually enforced

You can check passwords against known-compromised lists and then tell the user "sorry, please use a different password". This is something that is a recommended best practice, and has been for at least a few years.

>Or at the least enforce an aggressive password change schedule

This has been explicitly not recommended since at least 2016 by NIST. Research has shown this leads to password fatigue, which results in weaker passwords that are just iterated on (password1 -> password2 -> password3).

[programjames]

Or, users can check their passwords against known-compromised lists. It's not on them to hold users' hands and check for their mistakes.

[Beldin]

Let's not fall for 23andMe's attempts at victim blaming. They offered the service, and they failed to implement to reasonable security practices. Their process allowed users to pick "obviously" flawed passwords. Well, those passwords weren't obviously flawed enough to bar their use, but obvious enough to blame users afterwards.... yeah that's BS.

[ziddoap]

Yes, users can (and should) be doing that as well.