Data Breach
23andMe Data Breach
6.9M records exposed • April 2023
Hackers used passwords stolen from other websites to break into 23andMe accounts. But here's what made it worse: the site shows you genetic relatives, so hackers could see DNA data of family members who weren't even hacked directly. Your DNA is forever—you can't change it like a password. This data could be used for discrimination or identity theft decades from now.
What Happened
Hackers used credential stuffing—testing stolen username/password combinations from other breaches—to access 23andMe accounts. Due to the DNA Relatives feature, attackers could also access genetic information of family members who hadn't been directly compromised. The breach exposed highly sensitive genetic data that cannot be changed like a password.
Attack method: Credential stuffing attack
What Data Was Exposed
Genetic ancestry data, Health predisposition reports, Full names, Birth years, Geographic locations, Family tree connections, DNA Relatives matches, Profile photos
Is your business exposed?
What to Do If You're Affected
- 1.
Change your 23andMe password immediately
- 2.
Enable two-factor authentication on your account
- 3.
Review and restrict DNA Relatives sharing settings
- 4.
Change this password everywhere else you used it
- 5.
Consider downloading and deleting your 23andMe data
- 6.
Use a password manager to prevent credential reuse
Lessons for Businesses
- • Genetic data is permanent—unlike passwords, it can't be changed
- • Credential stuffing is preventable with unique passwords and MFA
- • Social features can expand breach impact to non-compromised users
- • Think carefully before sharing DNA with commercial services
Sources
Related Breaches
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required