The saga of 23andMe’s mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts.
In an update on Tuesday to a blog post sharing details of the attack, 23andMe said the breach, first reported in October, was enabled via credential stuffing, through which an attacker uses username and password combinations from other breaches to try breaking into unrelated accounts.
In other words, those hit were guilty of the cardinal sin of password reuse and not enabling multifactor authentication.
