23andMe credential-stuffing breach

On 6 October 2023, 23andMe — the U.S. consumer-genetic-testing company — publicly confirmed that attackers had compromised customer accounts via credential stuffing using credentials reused from prior breaches. The directly compromised account count was small (~14,000), but the attackers leveraged 23andMe's DNA Relatives social feature to scrape ancestry and profile data on a much larger population: 6.9 million users, approximately half of 23andMe's total customer base.

The incident became the canonical case for credential-reuse cascades through social-graph features and contributed to 23andMe's eventual March 2025 bankruptcy filing.

What happened

23andMe is a direct-to-consumer genetic-testing service. Users submit a saliva sample, receive ancestry and (historically) health-risk reports, and can opt into a feature called DNA Relatives that connects them with other 23andMe users who share genetic material — biological relatives the user may or may not have known about.

The DNA Relatives feature, in its 2023 configuration, allowed users to view substantial profile information for their genetic matches by default: names, profile photos, ancestry composition, ethnicity estimates, and shared geographic information. This was an opt-in feature, but most users had opted in to maximise the genealogy-discovery value.

The attackers' approach:

1. Credential stuffing: tested credential pairs from prior breaches (LinkedIn 2012, Adobe 2013, others) against 23andMe accounts. Approximately 14,000 accounts were directly compromised over months.
2. Leveraged DNA Relatives: for each compromised account, scraped profile information for all the account's genetic matches — typically dozens to thousands of relatives' profiles per compromised account.
3. Aggregated: across the 14,000 compromised accounts, profile data on approximately 6.9 million unique 23andMe users was captured — roughly half of 23andMe's total customer base.

Crucially, the attackers did not exfiltrate raw genetic sequence data — that data is not accessible through the DNA Relatives feature. But the ancestry and ethnicity composition data for each relative was visible, and was captured at scale.

The "Ashkenazi Jewish" sample

On 1 October 2023, a user on a criminal forum using the persona Golem offered a sample dataset of approximately 1 million 23andMe profiles tagged with Ashkenazi Jewish ancestry for sale. The selective ethnic targeting was widely interpreted as deliberate antisemitic targeting. Subsequent listings expanded to additional ethnic populations and finally to the full dataset.

The deliberate ethnic targeting was a distinguishing feature of this breach versus typical data-theft incidents. The attackers' selective release pattern — focusing on Ashkenazi Jewish and Chinese-ancestry samples first — drew specific media attention and added a discrimination-and-harassment dimension to the harm.

Genetic data scope

Important nuance: raw genetic sequence data was not exfiltrated. The exposed data was:

• Profile information: names, photos, locations, dates of birth.
• Ancestry composition: e.g., "32% Northwestern European, 24% Eastern European, 18% Ashkenazi Jewish".
• Display-name and self-reported ethnicity.
• Shared family-name suggestions that 23andMe's algorithm provides.

While not raw DNA, the ancestry composition and ethnicity data is genetic-derived and is treated as sensitive personal information under most data-protection frameworks. The exfiltration is therefore a genetic-data breach in regulatory terms, even though the underlying DNA sequences are not in the dataset.

Impact

• 6.9 million users had profile and ancestry data exposed — approximately half of 23andMe's customer base.
• Direct cost to 23andMe: ~$30M class-action settlement + ~$20M direct remediation + significant customer-loss impact.
• 23andMe Chapter 11 bankruptcy filing in March 2025 cited the breach and its litigation aftermath among contributing factors, though 23andMe's pre-existing financial pressures were the primary driver.
• UK ICO and Canadian Privacy Commissioner joint finding in June 2025 that 23andMe's data protection was inadequate, with remediation orders.
• No specific U.S. enforcement action as of late 2024.

Why it matters

23andMe is the canonical case for credential-stuffing cascades through social-graph features. It established:

• That credential stuffing remains a primary attack vector despite years of warnings about password reuse. The 14,000 compromised accounts were users whose credentials had appeared in prior breaches and not been rotated.
• That social-graph features amplify breach impact dramatically. The direct compromise count (14,000) understated the breach scope by a factor of nearly 500x because each compromised account exposed information about hundreds of others.
• That genetic-derived data — even without raw DNA sequences — is sensitive personal information requiring elevated protection.
• That default opt-in to data-sharing features is now treated by regulators as a privacy-design failure. The DNA Relatives default settings — which most users had retained — exposed information about people who had no individual choice in the matter (their relatives' settings determined their own exposure).
• That direct-to-consumer genetic testing companies' viability is now structurally tied to their cybersecurity posture in ways the original 2010s business model did not anticipate. 23andMe's bankruptcy followed multiple compounding pressures, but the post-breach customer-loss cohort was significant.

The case has also catalysed regulatory attention on consumer genetic-testing data: U.S. state laws specifically targeting DTC genetic data have proliferated post-23andMe, and the FTC has taken multiple enforcement actions against genetic-testing operators for inadequate security.