There was no SQL injection. The attack was basically the same as if someone stole the password to a friend's Facebook account, and proceeded to scrape the posts everyone else had made visible to that friend.

Some would say SNP data is more valuable than your posting history. I'm not so sure, since after all 23andMe went bankrupt trying to monetize their data and reddit didn't. It seems possible to me that a post where you say you do X is more useful to advertisers and political propagandists/spies, than a SNP which suggests you're 20% more likely to do X.

I am reading more on the vector of attack used on 23andme and it seems they used credentials from other data breaches. This never would have happend with MFA, even SMS confirmation would've been enough.

It's insane that a company that literally stores DNA data didn't have the most basic defenses against data breaches that would take an intern 15 minutes to read about.