[synicalx]

From what I understand, the hack was due to a large number of people re-using passwords and the company doing nothing to prevent or detect this.

Security practices and their ludicrously bad response aside, I cannot fathom why someone would send their literal DNA to a company and then take no steps to secure that information. Is technical literacy really this poor amongst the general population? Even my retiree dad who can't reliably turn on his TV on knows about MFA.

[cassianoleal]

> the company doing nothing to prevent or detect this.

How would they do that?

I'm not defending 23andMe but I really don't see how a service can detect that the password I chose on their website is the same I chose on a different one. Not without: a) them knowing what my chosen password is; and b) them knowing my passwords on other websites.

[ticulatedspline]

I have been defending them but there are things they could do, though I don't think they should be legally required to do so.

Where I work the security team monitors PW leaks and run them against our userbase if we find matches we lock their accounts and force a reset, that password also goes into a file and becomes pema-banned from being chosen.

we also force multifactor, which isn't bullet proof (heck if you used the same TOTP in 2 sites your hex key could get stolen) but it does go a long way. 2 factor is super annoying though and lots of places only offer crap methods like SMS (I loath to give out my phone number). personally I'd rather use just a strong site-specific password than be forced to provide my phone number.

[devinegan]

Use a previously breached password database like the one haveibeenpwned offers. https://haveibeenpwned.com/Passwords

[jacquesm]

Because users are idiots. Just like the people that build services. We all get it wrong and we all underestimate the risks. Professionals get phished and people will re-use passwords because it's easy to do and they simply don't understand or perceive the risk involved. They are unaware of how many breaches have already happened and that that password that they think is secure and only known to them is also known to hackers the world over due to previous dumps. It's not as if companies in general never pretended the breaches that they had didn't happen, that's very common practice to the point that it had to be outlawed in the EU.