Case Study: Inside the 23andMe Breach - What Happens When Your Genetic Data Isn’t Private

Ramyar Daneshgar

Ramyar Daneshgar

5 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Looking for a security engineer? Visit SecurityEngineer.com

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Executive Summary
In late 2023, consumer genetics company 23andMe suffered a significant data breach affecting the genetic and personal data of nearly 7 million users. The breach was made possible by a widespread credential stuffing campaign that exploited weak password reuse. This incident underscores the high stakes of handling immutable data like DNA and reveals gaps in the U.S. legal framework concerning data ownership, consumer privacy, and corporate accountability. This article breaks down the timeline of the breach, explains the hacking technique in simple terms, presents the actual language from public notices and regulatory filings, and offers an expanded legal and compliance analysis.

What Happened? A Plain-English Breakdown

Between May and September 2023, hackers used a method called credential stuffing to break into 23andMe user accounts. Credential stuffing involves using leaked usernames and passwords—often from unrelated data breaches—to attempt logins on new sites. Because many people reuse passwords across multiple platforms, attackers succeeded in accessing around 14,000 accounts.

Once inside those accounts, the attackers exploited 23andMe’s DNA Relatives feature, which allows users to share portions of their genetic data with others in their family network. By scraping profiles and shared connections, the attackers were able to collect highly detailed genetic and personal information about approximately 6.9 million users.

This included full ancestry breakdowns, familial relationships, and sensitive data about ethnic origins. The incident also highlighted how a breach affecting a relatively small number of accounts can cascade through connected systems and expose millions.

Timeline of the Breach

  • May–September 2023: Attackers begin a credential stuffing campaign targeting users with reused passwords.
  • October 1, 2023: A sample of data is posted on BreachForums. A user named "Golem" offers information on 1 million users, with specific targeting of Jewish and Chinese ancestry groups.
  • October 6, 2023: 23andMe confirms the incident publicly via blog and states: “We believe the threat actor may have compiled profile information about users with whom they are sharing genetic information.”
  • October 10, 2023: All users are required to reset their passwords. In official notifications to customers, 23andMe wrote: “We are writing to inform you of a cybersecurity incident involving your 23andMe account. Based on our investigation, your account may have been accessed by a threat actor using login credentials obtained from a third-party data breach.”
  • October 12, 2023: 23andMe begins filing breach notifications with state attorneys general. The California notice states: “Out of an abundance of caution, we are notifying you that your profile information may have been accessed by an unauthorized party.”
  • November 6, 2023: Two-step verification becomes mandatory for all 23andMe users.
  • December 1, 2023: In a Form 8-K SEC filing, 23andMe confirms the breach affected 6.9 million individuals.
  • January–April 2024: Class action lawsuits are filed across multiple states, alleging failures in privacy, security, and customer notification.
  • September 13, 2024: The company agrees to a $30M class-action settlement, offering credit monitoring and reimbursement for affected users.
  • March 23, 2025: 23andMe files for Chapter 11 bankruptcy, citing litigation expenses and loss of customer trust.

What Data Was Leaked?

The compromised data varied by account but included:

  • Account Identifiers: Names, usernames, email addresses, profile photos, gender, birth year
  • Geographic Data: Self-reported locations, countries of family origin
  • Genetic Results: Percentages for ancestral backgrounds (e.g., 47% Ashkenazi Jewish, 12% East Asian)
  • Haplogroups: Genetic family markers revealing maternal and paternal lineage
  • Family Matching Information: DNA Relatives lists, shared DNA segments, grandparental birthplaces

According to 23andMe’s internal investigation, this data was scraped using legitimate credentials from the credential stuffing attack. Because the DNA Relatives feature was opt-in and could display a user’s information to others in their network, attackers were able to harvest a large amount of associated data.

Genetic Information Nondiscrimination Act (GINA)

  • Protects against discrimination based on genetic info in health insurance and employment.
  • Does not regulate commercial collection or sharing of genetic data by DTC (direct-to-consumer) companies.

HIPAA (Health Insurance Portability and Accountability Act)

  • Applies only to health providers and insurers.
  • 23andMe, as a commercial genetic testing company, is not considered a “covered entity.”

State Breach Notification Laws

  • California Civil Code §1798.82 required 23andMe to issue individual notices.
  • Users in California received personalized notifications beginning October 12, 2023, with language such as: “The exposed data may include details you provided to 23andMe when creating your profile or participating in DNA Relatives.”
  • Attorneys General in New York, Illinois, and Oregon launched inquiries into 23andMe’s delay in reporting and its failure to mitigate foreseeable risks.

FTC Act – Section 5 (Unfair or Deceptive Acts)

  • FTC may act if 23andMe made misleading privacy promises. In particular, their website previously stated: “You are in control of your data.”
  • If the DNA Relatives feature created greater exposure than users expected, the FTC could consider this a deceptive omission.

Class-Action Settlements

  • Filed in federal courts in California and New York
  • Alleged:
    • Inadequate security and password protection
    • Breach of contract
    • Violation of implied confidentiality
    • Failure to warn users of third-party breach risk
  • Resulted in a $30M settlement including:
    • $2,500 max reimbursement for direct expenses
    • Three years of credit and identity monitoring
    • Security audits and policy reform commitments

Who Owns Your DNA Data?

23andMe’s Terms of Service grant them broad rights over user-submitted data. From the November 2023 archived Terms:

“By submitting your sample or genetic information, you grant 23andMe a perpetual, royalty-free, sub-licensable, and transferable license to use your genetic and self-reported information... for purposes including research, product development, and commercial partnerships.”

Key problems:

  • No clear opt-out mechanism once genetic data is submitted.
  • Data shared with external researchers or pharma companies may be aggregated but remains linked to original consent.
  • Users often don’t realize that withdrawal from the platform does not guarantee data deletion from downstream partners.

While California’s CCPA and CPRA provide opt-out and deletion rights, the company can claim legal exemptions related to biomedical research or ongoing contractual obligations.

How 23andMe Responded

  • Security Response:
    • Forced password resets beginning October 10
    • Mandated two-step verification in November
    • Disabled certain DNA Relatives functionality during the review
  • Transparency & Communication:
    • Blog post on October 6 titled “Addressing Data Security Concerns”
    • FAQ pages and user email notices reiterated: “We believe your account was accessed using a password previously exposed in a third-party data breach.”
  • Regulatory Filings:
    • Form 8-K to the SEC (Dec 1, 2023): “We do not believe the threat actor gained access through any breach of our internal systems.”
    • Reports to multiple state AGs with detail on timing, scope, and user impact
  • Legal Settlement Terms:
    • No admission of wrongdoing
    • Agreement to update privacy policies and undergo third-party security assessments
    • Support for affected users via identity protection partners (e.g., IDX or Experian)
  • Bankruptcy Filing:
    • Chapter 11 protection filed on March 23, 2025
    • Filing cites legal fees exceeding $12M and more than 250,000 active customer cancelations following the breach

Compliance Lessons for Other Companies

  1. Mandate multi-factor authentication (MFA) before it becomes reactive
  2. Limit social sharing features or default them to private
  3. Log access to all sensitive features and build alerting for anomalous behavior
  4. Use role-based access controls (RBAC) on genetic and personal data
  5. Draft breach response templates in advance to comply with each state’s notification laws
  6. Conduct data protection impact assessments (DPIAs) for sensitive categories like health or biometric/genetic data
  7. Ensure opt-out rights are meaningful and honored, especially under evolving privacy laws

Conclusion: Privacy, Permanence, and Policy Gaps

The 23andMe breach highlights a convergence of cyber risk, data permanence, and regulatory ambiguity. Genetic data carries unparalleled sensitivity, but the legal safeguards remain inconsistent and incomplete. Companies must architect platforms to limit data exposure, and regulators must close the gap between modern data uses and 20th-century legislation. Until then, breaches like 23andMe will continue to test the limits of consumer trust and corporate accountability.

References and Further Reading

Looking for a security engineer? Visit SecurityEngineer.com

Need a Cybersecurity Attorney?
Get top legal guidance in breach response, data privacy, and cybersecurity compliance. Connect with attorneys who know how to defend against audits, investigations, and liability.
👉 Hire a Cybersecurity Attorney

Read more