It's all a balancing act between not wanting to unduly impact legitimate customers, while blocking as much fraud as possible.
Blocking the credential stuffing attacks? They probably did have mitigation efforts, but you can only be so aggressive before the false positives start blocking significant numbers of legitimate customers, who have no recourse except to wait out a temporary ban. And some credential stuffing attacks are extremely sophisticated, such that even best in class security companies can't always effectively block them.
Mandatory MFA? Great on paper, except that 10% of people hate the extra steps (probably with great overlap between the people reusing passwords) and will complain and/or disable it if given the chance. Another 20% have invalid or out of date contact details (an old employer's email address, a landline phone number that can't receive SMS, etc.), and they'll be locked out of their accounts.
Yeah, there are ways to mitigate these downsides. And I'm not arguing that 23andme found the appropriate balance between "customer satisfaction" and "customer security." But I can see how a mostly reasonable organization could end up in this position. And it's mainly the risk of terrible press and upset customers that allows other companies to justify more security-oriented policies, so let them have it.
Every other healthcare website I use requires me to use enter a code texted or emailed to me the first time I log in from a new computer. If someone used a corporate email address for personal services, they're likely used to being locked out of things.
23andme is also unique in their ability to create security questions to authenticate users who get locked out. "What is your date of birth and can you form a sideways U shape with your tongue?"
Blocking the credential stuffing attacks? They probably did have mitigation efforts, but you can only be so aggressive before the false positives start blocking significant numbers of legitimate customers, who have no recourse except to wait out a temporary ban. And some credential stuffing attacks are extremely sophisticated, such that even best in class security companies can't always effectively block them.
Mandatory MFA? Great on paper, except that 10% of people hate the extra steps (probably with great overlap between the people reusing passwords) and will complain and/or disable it if given the chance. Another 20% have invalid or out of date contact details (an old employer's email address, a landline phone number that can't receive SMS, etc.), and they'll be locked out of their accounts.
Yeah, there are ways to mitigate these downsides. And I'm not arguing that 23andme found the appropriate balance between "customer satisfaction" and "customer security." But I can see how a mostly reasonable organization could end up in this position. And it's mainly the risk of terrible press and upset customers that allows other companies to justify more security-oriented policies, so let them have it.