Two factor authentication should be mandatory for services like 23andMe that hold such sensitive information (i.e. DNA tests). It would at least have reduced the wideness of the attack by protecting most of those 14k initial accounts that were used to leverage the 'relatives feature' vulnerability.
I was thinking this as well, but I'm still not sure 23andMe is to blame. Everyone who signed up to the site knowingly shared their information with accounts that were not 2FA protected. The service was unsafe but the question is weather or not the users should have known that. You can't sue the knife company if you cut yourself, after all.
