What Happened in the 23andMe Data Breach?
The 23andMe data breach came to light after the genetic testing company discovered hackers had broken into customer accounts and stolen deeply personal genetic information. According to New York’s Attorney General, this intrusion happened because 23andMe failed to put reasonable safeguards in place to protect this sensitive data. As a result, the company has now agreed to pay $18 million to resolve the state’s investigation into its security failures.
Investigators found that attackers used a technique called credential stuffing. This means hackers took usernames and passwords stolen from other, unrelated data breaches and tried them on 23andMe accounts. Because many people reuse passwords across different websites, this method worked on a large number of accounts. Unauthorized access to the company’s network occurred in April 2023, though the full scope was not discovered until months later.
Once inside, attackers exploited a feature called DNA Relatives. This feature lets users see genetic connections to other users on the platform. Because of this feature, hackers who compromised a relatively small number of accounts were able to access data belonging to millions of other people. The breach was ultimately discovered in October 2023, prompting an internal investigation.
The Attorney General’s investigation determined that 23andMe lacked basic security measures. For example, the company did not require multi-factor authentication for a long period, and it failed to detect suspicious login patterns quickly. This settlement reflects a broader finding that the company’s cybersecurity program did not match the sensitivity of the data it held.
Who was affected?
The 23andMe data breach affected a massive number of customers who had used the company’s genetic testing services. Because of the DNA Relatives feature, the breach reached far beyond the accounts that were initially compromised. As a result, the exposure extended to people who never directly used weak or reused passwords themselves.
According to public reporting connected to this settlement, the breach impacted customers nationwide, including a significant number of New York residents. The affected population includes people who submitted DNA samples for ancestry or health insights. In addition, because genetic data reveals information about biological relatives, family members who never signed up for 23andMe could also be indirectly affected.
This breach did not target a specific demographic. However, because genetic testing often runs in families, both older and younger adults across the country may have had their information exposed. The scope of this incident makes it one of the more far-reaching genetic privacy failures in recent years.
What Information Was Potentially Exposed?
The data exposed in this breach was especially sensitive because it went beyond typical personal identifiers. Genetic data cannot be changed or reset like a password. Therefore, the type of information stolen here carries long-term risk that traditional data breaches often do not.
- Genetic ancestry information and DNA-related test results
- Names and account profile details
- Family tree and relative-matching data
- Health-related predisposition reports, where applicable
- Email addresses and account login credentials
- Location information tied to user profiles
Because genetic data is permanent, exposure carries risks that differ from a typical breach involving credit card numbers. For instance, stolen genetic profiles could be used to infer health conditions or ancestry details that individuals never intended to share publicly. This raises concerns about discrimination in insurance or employment contexts.
In addition, because the breach exposed family relationship data, individuals who never used 23andMe directly may still face privacy risks. This means someone’s relative’s decision to use the service could expose details about people who never consented to genetic testing at all. As a result, the ripple effects of this breach are unusually broad.
What is the company doing?
Following discovery of the intrusion, 23andMe stated it took steps to secure affected accounts and investigate the scope of the breach. The company also began requiring users to reset passwords and eventually mandated additional authentication measures. These steps aimed to prevent further unauthorized access through credential stuffing.
As part of the settlement with the New York Attorney General, 23andMe has agreed to pay $18 million and to implement stronger data security practices going forward. This includes commitments to improve authentication protocols and monitor for suspicious account activity more effectively. Additionally, the settlement requires the company to maintain safeguards specifically designed to protect genetic and health data.
The company has also faced other legal and regulatory scrutiny beyond this settlement. Consequently, 23andMe’s ongoing response includes broader efforts to rebuild trust with customers concerned about how their genetic data is stored and protected moving forward.
What Should Affected Individuals Do?
Monitor Your Credit Reports
Affected individuals should regularly check their credit reports for signs of unauthorized activity. Even though this breach centered on genetic data rather than financial account numbers, exposed personal details can still be combined with other stolen information to commit fraud.
You can request free credit reports from major credit bureaus and review them for unfamiliar accounts or inquiries. If you notice anything suspicious, report it immediately. Because identity thieves often combine data from multiple breaches, staying vigilant is especially important here.
Stay Alert to Phishing Attempts
Scammers frequently use breach news to craft convincing phishing emails or text messages. For example, you might receive a message claiming to be from 23andMe asking you to verify your account or reset your password through a suspicious link.
Never click links in unsolicited messages. Instead, go directly to the official website by typing the address yourself. This simple habit can prevent attackers from harvesting your login credentials through fake pages.
Secure Your Online Accounts
Because this breach happened through credential stuffing, it’s a strong reminder to use unique passwords for every account you own. If you reused your 23andMe password elsewhere, change it immediately on all affected sites.
In addition, enable multi-factor authentication wherever it’s available. This adds an extra layer of protection so that even if a password is stolen, attackers cannot easily access your account. A password manager can also help you generate and store strong, unique passwords.
Understand the Unique Risks of Genetic Data Exposure
Unlike a stolen credit card number, exposed genetic data cannot simply be replaced or canceled. Therefore, affected individuals should think carefully about how this information could be used against them in the future, including in insurance or employment contexts.
Consider reviewing what genetic testing companies you use and how they handle data sharing settings. You may also want to consult a data breach attorney for a free case evaluation to understand what legal options might be available given the sensitivity of the exposed information.
More Information
Official data breach notification from Delaware Attorney General
Official data breach notification from California Attorney General
