@dplattsf @thomasfuchs The initial access was through credential stuffing, and while this is not entirely their fault, they could have taken steps to protect their users from themselves.

But that were only 14,000 accounts. Most of the 6 million or so records relate to users who have not been compromised themselves. And that's where 23andMe had a responsibility to protect its users from the stupidity of other users.