Comment by justin_oaks

To those wondering why the quotes are given, I assume it's because no 23andMe system was compromised.

The data was retrieved via credential stuffing, which is trying username/email and password combinations from other data breaches.

It can be argued that 23andMe should have had stricter login requirements (e.g. require MFA, require longer passwords) and by failing to do so they were responsible for the leaked data. Or you can argue that the users didn't protect their own data since they didn't use long, secure passwords that were unique per website.