Why would you do this to me?!

The hackers initially got access to around 14,000 accounts using previously compromised login credentials, but they then used a feature of 23andMe to gain access to almost half of the company’s user base, or about 7 million accounts

Is there more to the breach than just stolen passwords? What feature did they use and what access did they gain?