Send out increasingly loud notices ahead of time, and try to come up with a secure recovery procedure for the many customers who will fail to react to them. It's not going to be cheap. But losing some kinds of data should be even more expensive.

Force them to change their password, prevent use of the account? If it’s a dormant account, force a password reset using email?

Doesn’t feel like an unsolvable problem, certainly not one without edge cases but surely we can hit 80/20 without too big a hassle.

The thing is, attackers don't need 20%. The article says they used 14k accounts with previously cracked passwords to uncover data of 7 million customers: that's 0.2%

Doing low-hanging fruit isn't enough here. Honestly I just don't feel like the time is right to build such big DNA databases yet. Maybe one day with quantum encryption (can't observe the state without modifying it) or whatever else we may figure out, but today it just seems like you're taking a risk for yourself and half a dozen layers of relatives

1. Disable the account from further access.

2. Send a postcard to the billing address where you signed up (verified against credit reports) with a one time verification code, upon which some second factor is set up. Maybe put 20 "rescue codes" on the postcard too, if you like.

3. Force user to enable some sort of second factor authentication on their next login.

Imagine a service you paid for locking your account and sent a postcard to an address you haven't lived at in a decade. What a great user experience!

if you paid for a service, the onus is on you to keep your information updated with that service.

Do you actually update all your address in every service the moment you move?

Ones I care about, yes.

I’ve had sites that do forced password resets and other annoying things when I come back after years.

23andme bears responsibility more than users like banks bear more responsibility for customers choosing stupid pins. DNA info is valuable they need to design good safeguards.

Yahoo for one: I didn't mind.

You show popup "are you hacker?". If somebody lies, it's not your problem, right?