Are they trying to scapegoat us because they should have better password policies in place than to allow people to continue to reuse passwords?

I was wondering about this claim. Half of their users had compromised accounts on other sites? Is that really plausible? I'm just speculating, but it seems to me like that this suggests some sort of relationship between 23andme and the site where the original compromise happened.