[kieranhunt]

Using a service like Have I Been Pwned, could companies like 23andMe proactively invalidate credentials that are known to be leaked? The next time those customers try to log in, they're forced to update their credentials through something like an email-based password reset?

[hazmazlaz]

Yes, this is exactly what could have been (and in my opinion, should have been) done to prevent this kind of "credential stuffing" attack. By taking known corpus of exposed passwords and comparing the hashed values against existing user password hashes, the company could have proactively locked accounts and forced password resets for users who had previously chosen weak passwords, and prevented new weak passwords from being chosen as well. This is quickly becoming an industry standard practice, and 23andMe likely knows that and is trying to make the argument that it's not their problem and has nothing to do with them (wrong).