23andMe's data breach came down to users recycling passwords from other hacked sites — the company's own systems were never compromised. Nevertheless, 23andMe acted fast, requiring password resets and mandating two-step verification for all customers. Blaming the company for a credential stuffing attack caused by user negligence is an unjustified mischaracterization.
Password reuse by users doesn't excuse 23andMe letting a breach of 14,000 accounts balloon into exposure of nearly 7 million people's data — that's an undeniable corporate security failure. Organizations are ultimately on the hook for stopping lateral movement, no matter how the attacker got in. 23andMe had digital gold and fumbled it through sheer mismanagement.
© 2026 Improve the News Foundation.
All rights reserved.
Version 7.7.2