Genetic testing company 23andMe confirmed that hackers accessed the personal data of 6.9 million users. Your DNA wasn't stolen, but your ancestry data, family connections, and personal details may have been. Here's what you need to know.
In late 2023, genetic testing company 23andMe disclosed that hackers had accessed data belonging to approximately 6.9 million of its users — roughly half its customer base at the time.
The breach is notable not just for its scale, but for what was taken. 23andMe holds some of the most sensitive personal data that exists: genetic information, ancestral profiles, and — through its DNA Relatives feature — connections to biological relatives who may not even know their data was involved.
What followed the breach was a case study in corporate crisis management done poorly: initial minimisation, victim-blaming, legal manoeuvring, and ultimately bankruptcy. If you're a 23andMe customer, or if you're simply interested in what the implosion of a genetic data company means for people who trusted it with their most intimate biological information, the full story is worth understanding.
The hackers didn't break into 23andMe's systems in the traditional sense. They didn't find a vulnerability in the company's code, compromise a server, or intercept data in transit. What they did was considerably more mundane, and considerably more common.
They used a technique called credential stuffing: taking large lists of usernames and passwords stolen from other, unrelated data breaches and testing them — automatically, at scale — against 23andMe's login page.
Because many people reuse the same password across multiple services, a meaningful percentage of 23andMe accounts could be accessed using credentials that had been stolen from entirely different companies. A user whose email and password had leaked in, say, a breach of a retail or gaming service in 2019 might have used those same credentials to register with 23andMe. The attacker doesn't need to hack 23andMe at all — they just need to find where else the victim's credentials were already exposed.
This is not a sophisticated attack. Credential stuffing is industrialised. The tools to run it are freely available. The lists of stolen credentials are sold cheaply in bulk. It's one of the most common and cost-effective methods attackers use against consumer platforms — and it works primarily because password reuse is so widespread.
To understand the scale of the underlying ecosystem: services like Have I Been Pwned, run by security researcher Troy Hunt, currently index more than 14 billion compromised accounts across thousands of known data breaches. The raw material for credential stuffing attacks — known in underground markets as "combo lists," text files pairing email addresses with their corresponding passwords — are traded freely on Telegram channels, dark web forums, and even public file-sharing sites. Major combo lists circulate with hundreds of millions of entries. The "Collection #1" dataset published in 2019 contained 2.7 billion unique email-password combinations. "RockYou2021," compiled from multiple earlier leaks, reportedly contains 8.4 billion entries.
Automated credential stuffing tools — available cheaply or free on GitHub and underground forums — can test thousands of login attempts per minute, routing traffic through residential proxy networks to evade IP-based rate limiting. The attacker doesn't need to sit at a keyboard; they configure the tool, point it at a login endpoint, and check the results. A successful login yields a "valid" credential pair. The invalid ones are discarded. The whole process is logged and the hits are sold or used directly.
For a company like 23andMe — a consumer product with tens of millions of registered users, many of whom signed up years ago and haven't thought about password hygiene since — the exposure was structural. A substantial fraction of users were almost certainly reusing passwords from accounts that had been breached elsewhere.
The timeline of the 23andMe breach matters, and it's worth tracing carefully.
The credential stuffing activity appears to have started as early as April 2023 — months before anyone at 23andMe knew there was a problem. The attackers were patient. They accumulated valid account accesses over an extended period, scraping data from DNA Relatives profiles in batches.
The first public indication of a problem came on 1 October 2023, when threat actor posts began appearing on dark web forums, including the site Hydra, advertising a database claimed to contain genetic information on Ashkenazi Jewish users specifically — approximately 1 million records. This was not a general sale; the attacker had apparently curated and targeted a specific demographic subset of the stolen data, which raised alarm bells among researchers immediately. Additional posts followed advertising data on other demographic groups, including British users of South Asian descent.
23andMe began investigating in early October. The company 23andMe reported the incident to the SEC on 10 October 2023, describing the timeline of events and what data had been accessed. The company stated it became aware on 1 October 2023 that a threat actor had posted a claim online.
There is a notable gap here: the attack likely began in April 2023; the company became aware of it in October 2023 — approximately a six-month window during which millions of accounts may have been scraped without the company detecting the anomalous access patterns. The company maintained that it had detected unusual login activity and notified affected users, but the timeline of those notifications drew scrutiny from regulators. The UK's Information Commissioner's Office opened an investigation into whether 23andMe had complied with its GDPR obligations, including the requirement to notify regulators within 72 hours of becoming aware of a breach.
Here's where 23andMe's specific product design made an already serious breach dramatically worse.
The attackers initially compromised approximately 14,000 accounts directly through credential stuffing — a significant number, but not extraordinary for a company of 23andMe's size. The 6.9 million figure came from something else entirely: the DNA Relatives feature.
DNA Relatives is an opt-in service that matches users with other customers who share genetic markers — biological relatives who've also submitted samples. It's one of 23andMe's flagship features, and millions of users had it enabled. When you access a DNA Relatives match, you can see a profile of that match, including their predicted relationship to you, the percentage of DNA you share, and whatever profile information they've chosen to display.
By accessing 14,000 compromised accounts, the attackers were able to scrape the DNA Relatives data visible from those accounts — which, because of how family trees branch, gave them data on millions of connected users who had never been directly compromised. A person who had never had their credentials stolen still had their ancestry data, family connections, and profile information harvested because they were genetically related to someone who had.
The amplification factor is stark: 14,000 directly compromised accounts became 6.9 million affected users. That's a multiplier of roughly 500, driven entirely by a feature designed to help people find family.
It's worth being specific about what data was and wasn't taken, because reporting on genetic breaches tends to generate maximum anxiety without always providing maximum clarity.
What was exposed:
What was not exposed:
Ancestry composition data is derived from genetic analysis and does reveal meaningful information about heritage and ethnic background. For many users, that information is sensitive — it could reveal heritage that a person hadn't publicly shared, or in some contexts could be used in discriminatory ways. But it is categorically different from a copy of your DNA sequence. The distinction matters.
The conversation around data breaches typically uses financial data as its reference point. Your credit card number was stolen? Call your bank. New number, same account. Your Social Security number leaked? Painful and persistent, but there's a process for managing the downstream risk.
Genetic data breaks that model entirely. You cannot change your DNA. If your genetic profile is in a criminal's possession, it is in their possession permanently. No reset, no new number, no remediation procedure returns you to the status quo ante.
The sensitivity goes beyond the permanent nature of the data. Ancestral data — particularly the ethnic composition and geographic origin breakdowns that 23andMe provides — reveals information that users may not have consciously intended to share. Heritage that someone hasn't publicly disclosed. Biological relatives who didn't consent to have their genetic connections catalogued. Medical risk indicators embedded in ethnic background data for conditions with known population-level associations. In some legal and social contexts — insurance, employment, immigration — this information can have material consequences.
The specific way the stolen data was first advertised illustrates the risk concretely. The October 2023 dark web post specifically targeted Ashkenazi Jewish users. The deliberate demographic targeting of a specific ethnic or religious group using genetic data is not merely a privacy violation — it is, in some contexts, a tool that can facilitate discrimination or, in worst-case historical framings, ethnic targeting. The data was priced and packaged for buyers who wanted to identify people by ancestry. Whatever 23andMe intended when it designed a feature to help people find family, this was also among the potential uses of the data it was collecting.
The comparison to financial data is also inadequate for another reason: financial data theft typically has a single direction of harm — money leaves your account. Genetic data has multiple dimensions of harm that compound over time and that extend beyond the individual. A person's genetic data reveals information about their biological parents, siblings, children, and extended family — none of whom consented to having their genetic proximity to a 23andMe customer stored, shared, or stolen. The breach of one person's 23andMe account is, in a real sense, a breach affecting people who never signed up for any service at all.
In the United States, the regulatory protection for genetic data is thinner than many people assume.
The Genetic Information Nondiscrimination Act (GINA), passed in 2008, prohibits health insurers and employers from discriminating based on genetic information. That is a meaningful protection in those specific contexts. But GINA doesn't cover life insurance, disability insurance, or long-term care insurance — the sectors where access to genetic risk information could have the most significant financial implications for individuals. And GINA doesn't address what consumer genetics companies can do with data: sharing it with third parties, using it for research, transferring it in a corporate transaction, or failing to protect it adequately.
The California Consumer Privacy Act (CCPA) provides some protection for California residents, including the right to know what data is collected, the right to deletion, and some restrictions on sale. 23andMe's customers who are California residents have stronger rights than those in most other states.
But there is no comprehensive federal genetic privacy law. The patchwork of state laws and sector-specific federal rules creates gaps that a bankruptcy sale of 23andMe's data could potentially fall through. Privacy law experts quoted by the Electronic Frontier Foundation following the bankruptcy filing noted that the company's privacy policy technically permits data transfer to a buyer, and that unless a purchasing entity is bound by specific representations made to customers, it may have significant latitude in how it uses the data going forward.
In the European Union, the picture is different. The General Data Protection Regulation classifies genetic data as a "special category" of personal data under Article 9 — the same tier as racial or ethnic origin, religious beliefs, and health data. Processing special category data requires explicit consent and is subject to higher scrutiny and stricter safeguards than ordinary personal data. GDPR also provides meaningful data deletion rights. EU regulators have been notably more aggressive in pursuing enforcement actions against companies that mishandle this category of data than their US counterparts.
The contrast matters beyond legal technicality: it reflects a fundamental difference in the underlying philosophy about who owns personal data and what protections individuals are entitled to. In the EU framework, genetic data is sensitive by definition, and companies face a high burden to justify collecting and storing it. In the US framework, companies largely self-regulate, and protections depend on what a company chooses to promise in its privacy policy and which state a consumer happens to live in.
23andMe's initial public response to the breach drew immediate and pointed criticism from security researchers and privacy advocates.
The company's communications in the weeks following disclosure leaned heavily on the argument that this was technically not a hack of 23andMe's systems — it was a hack of users' other accounts, and the problem was really password reuse by customers. A letter 23andMe sent to some breach victims referenced "negligent" behaviour by users who had reused passwords.
That framing was legally strategic and reputationally disastrous. While it is technically accurate that the direct attack vector was credential stuffing rather than a breach of 23andMe's own systems, the company had tools available to mitigate this risk that it had chosen not to deploy. Multi-factor authentication had been available on the platform but was not mandatory. The DNA Relatives feature, which amplified the breach by 500x, was on by default for many users. The combination of optional MFA and aggressive data-sharing features created an environment where a credential stuffing attack on a small number of accounts could cascade into a breach affecting millions.
Critics argued — persuasively — that a company holding this category of sensitive data had a higher duty of care than it had chosen to exercise.
Class action lawsuits followed quickly. By early 2024, 23andMe was facing multiple consolidated actions alleging negligence, breach of contract, and violations of privacy law.
In a move that drew further criticism, 23andMe attempted to amend its Terms of Service in late 2023 in ways that would have made class action litigation more difficult. California's Attorney General Rob Bonta sent the company a letter warning that the changes could not retroactively affect breach claims and noting that such amendments made under these circumstances raised serious legal concerns. 23andMe ultimately rolled back the most contentious changes.
In March 2025, 23andMe entered into settlements with several groups of plaintiffs, including law firms representing thousands of claimants in California courts and arbitration proceedings. The settlements resolved claims from the October 2023 incident but did not end all litigation.
In March 2025, 23andMe filed for bankruptcy protection. The company, which had gone public via SPAC merger in 2021 at a valuation of roughly $6 billion, had seen its stock price collapse, its business model falter, and its board largely resign en masse in 2024.
The bankruptcy filing raised immediate and serious questions about what happens to the genetic data of millions of users when the company holding it becomes insolvent.
23andMe's privacy policy states that data can be transferred to a new owner in the event of a merger, acquisition, or bankruptcy. The FTC has published guidance on genetic privacy noting that genetic data is particularly sensitive and that companies should be transparent about what happens to it in corporate transactions. But guidance is not a guarantee.
The practical concern is real: a buyer of 23andMe's assets could acquire the genetic data of millions of people as part of that transaction, and might have different privacy commitments than 23andMe itself had. The company's database — one of the largest consumer genetic databases in the world — has obvious commercial value to pharmaceutical companies, insurance firms, and research institutions. Whether it ends up in hands that treat it with appropriate care is not fully determined by whatever 23andMe's privacy policy said when customers first signed up.
The company encouraged affected users to exercise their deletion rights before any sale closed. Several US state attorneys general issued similar guidance.
If you are a 23andMe customer:
The broader lesson: this breach is a textbook example of why password reuse is dangerous. The 23andMe systems themselves were not hacked in the conventional sense — accounts were opened using passwords stolen elsewhere. A unique, strong password for every service, maintained through a password manager, eliminates this specific vector entirely.
And the credential stuffing technique used here is the same one that opened the door in the Colonial Pipeline attack. It's not a sophisticated method. It works because the fundamentals of account security are still, for too many people and too many companies, not being applied.
A sophisticated phishing campaign is sending Gmail users convincing fake security alerts that appear to come from Google itself. The emails pass standard spam filters and use real Google infrastructure to reach inboxes. Here's how to spot them.
