Here is the thing: unless the attackers got into these accounts by guessing weak passwords at the login page, 23andMe are at fault.

The data breach by which attackers get their hands on passwords isn't the fault of the users.

Only the consequence of that breach to some of the users is their own fault.