This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

23andMe

Summary

23andMe, a genetic testing and ancestry service, disclosed a data breach affecting 6.9 million users worldwide in December 2023. The breach exposed DNA ancestry data, personal profiles, and relationship information after attackers used stolen passwords from other breaches to access accounts. The company agreed to a $30 million settlement in 2024 to resolve class action lawsuits.

What Happened

Attackers used a technique called credential stuffing, where they tried username and password combinations stolen from other data breaches on 23andMe accounts. Many users had reused the same passwords across multiple websites, and had not enabled two-factor authentication on their 23andMe accounts.

The attackers successfully accessed approximately 14,000 accounts directly. However, because 23andMe offers a feature called "DNA Relatives" that automatically shares genetic and profile information between users who opt in, the breach's impact was much larger. Through these interconnected accounts, attackers accessed data belonging to approximately 6.9 million people who had opted into the DNA Relatives feature.

Impact on Individuals

The stolen data included names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations. For some users, genetic health information and more detailed profile data were also accessed.

The exposure of genetic data is particularly concerning because, unlike passwords or credit cards, DNA cannot be changed. The compromised information could potentially be used for identity theft, targeted scams, or sold on dark web marketplaces. Users who had ancestry from specific ethnic backgrounds, including Ashkenazi Jewish and Chinese users, were reportedly specifically targeted.

Organisational Response

23andMe notified affected users and required password resets for all accounts. The company also made two-factor authentication mandatory for all users following the breach. In September 2024, 23andMe agreed to pay $30 million to settle class action lawsuits stemming from the breach, providing compensation to affected customers.

The UK Information Commissioner's Office and Canadian privacy authorities conducted a joint investigation, which found that 23andMe did not have adequate data protections and ignored warning signs. The joint investigation resulted in 23andMe being fined £2.31 million by the ICO.

A class action lawsuit was filed against 23andMe, resulting in a $30 million settlement approved in 2024. The settlement allows eligible users to claim up to $10,000 before the February 2026 deadline, with specific amounts depending on individual circumstances and documentation of harm.

Verification Source: View original statement