23andMe Data Breach: How Credential Stuffing Exposed 7 Million Genetic Profiles

Learn how attackers compromised a genetic testing platform and what your security team can do differently.

You can change a stolen password. You cannot change your DNA. The 23andMe data breach exposed genetic profiles belonging to 7 million users. Attackers didn’t need to hack the company’s systems. They used passwords stolen from other breaches to log into user accounts.

The breach unfolded over five months in 2023. Attackers accessed accounts using credentials from previous data breaches. A single compromised account could expose thousands of genetic relatives who never had their passwords stolen.

23andMe didn’t detect the attack until stolen data appeared for sale on dark web forums.

This case study examines what went wrong and the practical lessons for security teams protecting sensitive customer data.

What Happened in the 23andMe Data Breach?

The 23andMe data breach exposed genetic profiles belonging to approximately 7 million users. Understanding the full scope requires looking at how attackers exploited password reuse to access one of the most sensitive types of personal data.

The breach occurred between April and September 2023. Attackers used credentials from previous data breaches to log into 23andMe accounts. When a stolen password matched, they gained full access to that user’s genetic profile.

23andMe only discovered the breach in October 2023 when stolen data appeared for sale on BreachForums. An attacker using the handle “Golem” offered genetic profiles for $1 to $10 per record.

According to 23andMe’s SEC filing from December 2023, approximately 14,000 accounts were directly compromised through credential stuffing. The DNA Relatives feature then exposed an additional 5.5 million profiles. The Family Tree feature exposed 1.4 million more.

How Did Attackers Exploit Credential Stuffing?

The attack combined two factors: stolen credentials from dark web sources and a platform feature that amplified access beyond individual accounts. Attackers didn’t need to breach 23andMe’s systems directly. They logged in as legitimate users using passwords those users had reused elsewhere.

Where Did the Stolen Credentials Come From?

The credentials used in this attack came from dark web combo lists. These are compilations of usernames and passwords leaked in previous breaches.

Attackers purchase these combo lists from criminal marketplaces. They then automate login attempts against target services. When a password matches, they gain access without needing to compromise any systems.

23andMe didn’t require multi-factor authentication. A correct password was enough to access an account. This created a single point of failure that attackers exploited systematically.

How Did the DNA Relatives Feature Amplify the Breach?

The breach’s true scale came from a design flaw. 23andMe’s DNA Relatives feature lets users discover and connect with genetic relatives. When attackers accessed a single account, they could view genetic information for everyone that user had connected with.

This created a multiplier effect. Compromising 14,000 accounts exposed data belonging to nearly 7 million people. Users who never had their passwords stolen still had their genetic profiles exposed because a relative’s account was compromised.

The feature existed to help users find family connections. Attackers exploited it to extract data at scale. One compromised account could expose hundreds of genetic relatives who had opted into the sharing feature.

Why Is Genetic Data Different from Other Breached Data?

When attackers steal your password, you change it. When they steal your credit card, you get a new one. When they steal your DNA data, you cannot change your genome.

The 23andMe breach exposed:

• Ancestry and ethnicity percentages
• Genetic health risk indicators
• Carrier status for inherited conditions
• Biological family relationships

Health conditions revealed through genetic testing could affect insurance eligibility or employment. Family relationships exposed could reveal adoptions or unknown parentage.

The breach also affected people who never used 23andMe. If your relative took a DNA test and opted into sharing features, your genetic information was exposed through their profile. You had no control over this exposure.

Why Did 23andMe Fail to Detect the Breach?

The attack succeeded because of weak authentication controls and inadequate monitoring. Both failures were preventable with standard security practices.

Missing Authentication Controls

23andMe made several critical security decisions that enabled the attack. Multi-factor authentication was optional. Most users didn’t enable it because it wasn’t required.

The company didn’t screen login attempts against known compromised credentials. Compromised credential monitoring would have flagged accounts using passwords that appeared in dark web combo lists. Those accounts could have been locked or required password resets.

Password requirements were weak. Users could set passwords that had already been exposed in previous breaches. Without screening against known leaked passwords, the company had no way to identify at-risk accounts.

Detection Failures

The five-month detection gap reveals fundamental monitoring failures. 23andMe didn’t detect the attack through internal security systems. They discovered it when stolen data appeared on criminal forums.

Effective data breach detection requires watching for suspicious login activity. Credential stuffing attacks generate large amounts of traffic. Multiple failed logins followed by successful authentication from unfamiliar locations should trigger alerts.

The joint investigation by the UK Information Commissioner’s Office and Office of the Privacy Commissioner of Canada found that 23andMe lacked:

• Rate limiting on login attempts
• Monitoring for suspicious login activity
• Proactive notification to users about unauthorized access

Users whose accounts were compromised had no indication anything was wrong until 23andMe disclosed the breach months later.

What Were the Financial and Legal Consequences?

The breach triggered regulatory fines and a class action settlement. It also contributed to the company’s eventual bankruptcy.

Regulatory Fines

The UK Information Commissioner’s Office issued a fine against 23andMe in June 2025. The fine totaled approximately $3 million for failing to protect UK users’ genetic data.

The ICO investigation confirmed the security failures detailed above.

The joint Canadian investigation reached similar conclusions. Regulators emphasized that organizations handling sensitive genetic data must implement security measures proportionate to the sensitivity of the information.

Class Action Settlement

23andMe agreed to a $30 million class action settlement in September 2024. The settlement covered affected users who filed claims for exposure of their genetic data.

As bankruptcy proceedings unfolded, the settlement structure evolved. Over 250,000 valid claims were filed by affected users seeking compensation for the exposure of their genetic information.

Bankruptcy Filing

23andMe filed for Chapter 11 bankruptcy in March 2025. The company was already struggling financially before the breach. Legal costs and settlements made it worse.

The sale raised questions about genetic data ownership. State attorneys general sued to block the transfer, arguing users should control what happens to their DNA data.

What Can Security Teams Learn from 23andMe?

The breach offers lessons for any organization handling sensitive user data. Prevention starts with credential monitoring and mandatory MFA.

How Can Credential Monitoring Prevent Stuffing Attacks?

The 23andMe breach was preventable. Dark web monitoring detects when credentials appear in stealer logs, combo lists and third-party breaches before attackers use them.

If 23andMe had monitored for compromised credentials, they could have:

• Identified accounts using passwords from previous breaches
• Forced password resets for at-risk accounts
• Blocked login attempts using known compromised credentials

Credential stuffing prevention starts with knowing which credentials are already exposed. Security teams should monitor dark web sources where attackers purchase combo lists. When your users’ credentials appear, you can act before stuffing attacks succeed.

The Verizon 2025 Data Breach Investigations Report found that 22% of breaches involve credential abuse as the initial access vector. Another 30% of infostealer victims had corporate logins alongside personal credentials. The password reuse problem affects every organization.

Why Is MFA Not Optional for Sensitive Data?

23andMe made MFA optional. Users didn’t enable it because people generally don’t take optional security steps. The breach proved why security controls for sensitive data cannot be opt-in.

After the breach, 23andMe made MFA mandatory for all users. Regulators now expect genetic testing platforms to require MFA as a baseline control.

The lesson applies broadly. If you handle sensitive data, assume users won’t protect themselves. Make strong authentication mandatory, not optional. Don’t rely on users to enable security features.

How Should You Design Data Sharing Features?

The DNA Relatives feature created a blast radius. One compromised account could expose thousands of genetic profiles. This violated the principle of least privilege.

Security teams should evaluate data sharing features for amplification risk. Ask: if one account is compromised, how much additional data does the attacker gain access to? Features that expose other users’ data through a single compromise need additional protections.

Consider requiring re-authentication for sensitive operations. Limit how much data any single account can access at once. Implement rate limiting on data exports. Design features assuming some accounts will be compromised.

Conclusion

The 23andMe data breach demonstrates how credential stuffing can expose the most sensitive personal data. Attackers used passwords from previous breaches to access accounts directly. The DNA Relatives feature then amplified the damage by exposing millions of genetic profiles.

Key lessons for security teams:

• Monitor for compromised credentials: Dark web monitoring detects exposed passwords before attackers use them in stuffing attacks. The credentials that compromised 23andMe accounts were available on criminal marketplaces before the attack.
• Make MFA mandatory for sensitive data: Optional security controls don’t protect users. If you handle sensitive information, require strong authentication for all accounts.
• Design features with compromise in mind: Data sharing features that amplify breach impact need additional safeguards. Assume some accounts will be compromised and limit the blast radius.
• You cannot remediate genetic data exposure: Unlike passwords or credit cards, DNA cannot be changed. This makes prevention the only effective strategy for protecting genetic information.

Check if your credentials have been exposed with a dark web scan.