![](https://programming.dev/pictrs/image/05edd35e-f677-44ba-a063-54eeeaa01d1f.png)
23 and Me are technically correct in that it's customer behaviour that caused the issue. People reused passwords and didn't use MFA.
They can claim the moral high ground if they like and shift the blame, but the truth is that regardless of WHY the breach happened, it was still a breach and it still happened!
As a software engineer, I believe there's a real argument to be made here that 23 and Me were negligent in their approach. Given the personal nature of data stored they should have enforced MFA from the start, but they did not. They made an explicit decision to choose customer convenience above customer security.
The argument that customers should have made better security decisions is evasive bullshit.
As a software engineer you cannot trust customers to take correct decisions about security. And customers should not be expected to either - they are not the experts! It's the job of IT professionals to ensure that data has an appropriate level of protection so that it is safeguarded even against naive user behaviour.
IBM defines "Data Breach" as:
Despite the fact the attackers used real passwords to log in they are still an 'unauthorized party' because they are not the intended party.
It's also legally the case that using a password to access data you know you are not supposed to access still counts as 'hacking'