People should have woken up to password security being their responsibility after story after story on how bad actors will own your email account, wait for a large e-transfer to appear in your inbox, then steal it by using the same email password on your bank’s site. It was an unavoidable story at least in Canada.

Having said that, is there not an onus on 23 to detect someone scraping millions of profiles from a feature ostensibly for looking at a few close relatives? Surely looking at 492 “relatives” on one account in quick succession isn’t normal behaviour.

I’m just glad I didn’t end up ordering a kit when they were being hyped massively.

Yeah this is like 85% the users fault. If the website stores passwords in plaintext, it’s their fault. If the user used “password” as a password it’s their fault. The site could have been more helpful by having a cool down between incorrect passwords and monitor of failed attempts. Also maybe limiting the data shared between relatives. But like with Facebook, if you gain access to someone’s account you will see their friends too.

It is. It was from people reusing passwords that were compromised.

After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.

Last I checked, that is still optional but highly recommended.