USAOctober 6, 202315 min read
# 23andMe: 6.9 Million Users' Genetic and Ancestry Data Stolen Through Credential Stuffing - Company Filed Bankruptcy
Between April and September 2023, attackers used credential stuffing to compromise approximately 14,000 23andMe user accounts, then exploited the platform's DNA Relatives feature to scrape the genetic ancestry and personal data of 6.9 million connected users.
The stolen data was offered for sale on dark web forums with listings specifically targeting users of Ashkenazi Jewish and Chinese heritage.
The breach triggered a $30 million class action settlement (reduced from a proposed $50 million), a GBP 2.31 million UK ICO fine, multi-state attorney general investigations, and an existential crisis for the company.
In March 2025, 23andMe filed for Chapter 11 bankruptcy, and the California Attorney General issued an urgent advisory urging all users to delete their genetic data before the company's assets were sold.
## Key Facts
- .**What:** Credential stuffing attack scraped genetic data via DNA Relatives feature.
- .**Who:** 6.9 million 23andMe users, with ethnic groups specifically targeted.
- .**Data Exposed:** Genetic ancestry, health predispositions, names, and family relationships.
- .**Outcome:** $30M settlement, UK ICO fine, and company filed bankruptcy in 2025.
## What Was Exposed
- .Genetic ancestry composition data including ethnicity percentages and haplogroup assignments for 6.9 million users
- .DNA Relatives profile information including display names, predicted relationships, percentage of shared DNA, and ancestry reports
- .Self-reported personal data including birth year, location, family surnames, and profile photos
- .For the 14,000 directly compromised accounts: full ancestry reports, health predisposition data, carrier status reports, and raw genotype data
- .Family tree information revealing biological relationships between users across multiple generations
- .Ethnicity-specific datasets assembled and offered for sale targeting Ashkenazi Jewish users (approximately 1 million records) and Chinese heritage users (approximately 100,000 records)
The 23andMe breach represents a category of data exposure fundamentally different from any other incident in this series. Genetic data is the most permanent form of personal information--it cannot be changed, reset, or reissued.
A stolen Social Security number can be replaced; stolen DNA data remains valid for the lifetime of the individual and, through hereditary connections, reveals information about their biological relatives who never consented to any data collection.
The exposure of genetic ancestry, health predispositions, and carrier status creates risks that extend across generations.
## The Attack: Credential Stuffing to Social Graph Scraping
The attack exploited two separate vulnerabilities: weak authentication and an overly permissive data-sharing feature. The initial compromise involved credential stuffing--automated login attempts using username and password pairs stolen from other breaches.
Because many 23andMe users had reused passwords from other services and the platform did not require multi-factor authentication, the attackers successfully accessed approximately 14,000 accounts.
The 14,000 compromised accounts were not the end of the attack but the beginning.
These accounts served as access points to 23andMe's DNA Relatives feature, an opt-in tool that connects users with genetic relatives on the platform by sharing ancestry information and predicted family relationships.
By accessing the DNA Relatives connections of the 14,000 compromised accounts, the attackers were able to scrape the genetic and personal data of 6.9 million additional users who had opted into the feature.
The amplification factor was devastating: 14,000 compromised credentials led to 6.9 million users' data being stolen, a nearly 500:1 ratio.
This occurred because the DNA Relatives feature displayed substantial personal and genetic information to connected users without rate limiting, anomaly detection, or restrictions on bulk data access.
The feature was designed for human interaction--viewing one relative's profile at a time--but lacked technical controls to prevent automated mass scraping.
The stolen data first appeared on the BreachForums dark web marketplace in October 2023. The initial listing specifically advertised data on “1 million Ashkenazi Jews” and separately offered datasets targeting users of Chinese heritage.
The ethnic targeting of the data listings raised alarm among civil rights organizations, intelligence agencies, and affected communities.
Genetic data organized by ethnicity has applications in discriminatory targeting, intelligence operations, and bio-surveillance that extend far beyond conventional identity fraud.
## Regulatory Analysis
**California Consumer Privacy Act (CCPA):** As a California-headquartered company processing the personal information of millions of California residents, 23andMe was subject to the CCPA and its 2020 amendment, the California Privacy Rights Act (CPRA).
Genetic data is classified as “sensitive personal information” under the CPRA, subject to enhanced protections including purpose limitation and minimization requirements.
The CCPA grants California consumers the right to know what personal information is collected, to delete their data, and to opt out of the sale of their information.
The class action settlement included provisions addressing these rights, and the California Attorney General's post-bankruptcy advisory emphasized the urgency of consumers exercising their deletion rights before the company's assets--including the genetic database--were sold to a new owner.
**California Genetic Information Privacy Act (GIPA):** California's Genetic Information Privacy Act, enacted in 2022, imposes specific requirements on companies that collect genetic data.
GIPA requires express consent for the collection, use, and disclosure of genetic data, prohibits discrimination based on genetic information, and grants individuals the right to access and delete their genetic data.
The 23andMe breach raised questions about whether the company's consent mechanisms for the DNA Relatives feature adequately informed users that their genetic data could be accessed by anyone who compromised a connected account.
The feature's design effectively transformed an opt-in sharing tool into a mass data exposure vector.
**State Breach Notification:** The breach triggered notification obligations in all 50 states under their respective data breach notification statutes.
Several states have enacted specific provisions for breaches involving biometric or genetic data, imposing heightened notification requirements and longer-duration protective measures for affected individuals.
23andMe notified all 6.9 million affected users and offered credit monitoring and identity protection services, though the relevance of traditional credit monitoring for a genetic data breach is limited.
**Multi-State Attorney General Investigation:** Attorneys general from multiple states launched coordinated investigations into 23andMe's data security practices and breach response.
The investigations focused on whether 23andMe's failure to require MFA constituted inadequate security for genetic data, whether the DNA Relatives feature's data-sharing design was consistent with user expectations and consent, and whether 23andMe's breach detection and response timeline met the standards required by state consumer protection laws.
**UK ICO Enforcement - GBP 2.31 Million:** The UK Information Commissioner's Office fined 23andMe GBP 2.31 million under UK GDPR for the breach's impact on UK-based users.
The ICO found that 23andMe failed to implement appropriate technical measures to protect the personal data of its users, specifically citing the absence of mandatory multi-factor authentication for accounts containing genetic information.
The ICO also noted that 23andMe's privacy impact assessment for the DNA Relatives feature had not adequately considered the risk of cascading data exposure through credential stuffing.
**Class Action Settlement:** In September 2024, a federal judge granted preliminary approval to a $30 million class action settlement (reduced from an initial $50 million proposal due to 23andMe's deteriorating financial condition).
The settlement provided cash payments to affected users, three years of privacy and medical monitoring through a specialized genetic data protection service, and requirements for 23andMe to implement MFA, conduct annual security audits, and maintain a dedicated data incident response program.
The settlement was approved despite objections that the per-person payment was inadequate given the permanent and irreversible nature of genetic data exposure.
## Bankruptcy and the Fate of Genetic Data
In March 2025, 23andMe filed for Chapter 11 bankruptcy protection, listing the genetic data of approximately 15 million total users as among its assets.
The bankruptcy filing raised a question without precedent in data protection law: what happens to the genetic data of millions of people when the company holding it goes bankrupt and its assets are sold?
California Attorney General Rob Bonta issued an urgent public advisory urging 23andMe users to log in and delete their accounts and genetic data before the company's assets were transferred to a buyer.
The advisory reflected a real fear that the genetic database--one of the largest private collections of human DNA data in the world--could be acquired by an entity with different privacy commitments or in a jurisdiction with weaker data protection laws.
The advisory emphasized that under the CCPA and GIPA, users retained the right to request deletion of their data regardless of the company's financial status.
The bankruptcy proceedings raised fundamental questions about whether genetic data should be treated as a transferable corporate asset at all, whether bankruptcy courts should appoint privacy trustees to protect consumers' data rights during asset sales, and whether existing privacy laws are adequate to address the lifecycle of sensitive biometric data when the collecting entity ceases to exist.
## What Should Have Been Done
**Mandatory Multi-Factor Authentication:** The single most impactful security control that would have prevented this breach is mandatory MFA. Credential stuffing attacks are only effective against accounts protected solely by passwords.
For a platform storing genetic data--the most sensitive and permanent category of personal information--allowing password-only authentication was an indefensible design choice.
23andMe implemented mandatory MFA only after the breach, a remediation that came too late for 6.9 million users.
**Rate Limiting and Anomaly Detection on Social Features:** The DNA Relatives scraping exploited the absence of controls on data access volume and velocity.
Any feature that allows one user to view another user's data must implement rate limiting, session-level access caps, and behavioral analytics to detect automated scraping.
When 14,000 accounts begin systematically accessing hundreds of connected profiles each, the pattern should trigger immediate alerts and account lockdowns.
**Data Minimization in Sharing Features:** The DNA Relatives feature shared substantial genetic and personal data between connected users.
Privacy by design principles would require minimizing the data visible through such features to the minimum necessary for their purpose--for example, showing predicted relationships without exposing full ancestry composition data or self-reported personal information.
Reducing the data surface exposed through social features limits the blast radius when those features are abused.
**Genetic Data Governance Framework:** Companies holding genetic data operate in a fundamentally different risk landscape than companies holding financial or contact data.
Genetic data governance must account for the permanence of the data, the hereditary implications for non-consenting relatives, the potential for ethnic targeting and discrimination, and the lifecycle of the data beyond the company's existence.
23andMe's failure to build its security program around the unique characteristics of genetic data was the root cause of both the breach and the company's subsequent collapse.
The 23andMe breach exposed the most permanent, intimate form of personal data--human DNA--through the most basic of attack vectors: reused passwords. The ethnic targeting of stolen genetic data added a dimension of discriminatory harm unprecedented in cybersecurity.
The company's subsequent bankruptcy raised existential questions about the fate of genetic databases when their custodians cease to exist.
For any organization holding biometric or genetic data, the 23andMe case is an unequivocal warning: genetic data demands the highest tier of security controls, because once it is stolen, it cannot be revoked, reissued, or forgotten.