Websites should mitigate credential stuffing by checking against known cracked passwords. All you have to do is download Troy Hunt’s hashed password database, check it when someone logs in and if it’s cracked do your email password reset flow. Or you can use their API.
It’s very simple, and I believe has been an accepted best practice since like 2017. This is 100% on 23andme. They are responsible.
This and noticing a bunch of accounts are suddenly being logged into in mass in a way that is obviously an attack. It cannot be hard to detect such an event if you cared to notice. So it’s 100% negligence and 100% the result of putting profits over safety. A terrible management failure.
It’s very simple, and I believe has been an accepted best practice since like 2017. This is 100% on 23andme. They are responsible.
1. https://haveibeenpwned.com/Passwords