The company claims that users negligently recycled and failed to update their passwords, allowing attackers to launch a credential stuffing campaign. Nearly 7 million customers’ information was accessed, including genealogy data.