@jomo @lorenzofb agreed, it was a credential stuffing attack. no 2FA and they just used a giant list of emails and passwords and logged into any account they could. 23&Me should have had some rate limiting and alerts for this, but c'est la vie, right?

maybe customers shouldn't reuse passwords or something idk