23andMe 2023: 6.9M genetic profiles from 14,000 reused passwords.

Credential stuffing is the practice of taking username and password pairs leaked from one company's breach and replaying them against another service, betting that a fraction of users reuse the same password everywhere. Between April and September 2023 an attacker ran a credential-stuffing campaign against 23andMe and successfully logged into approximately 14,000 accounts where the password had been reused.

The reason 14,000 compromised accounts produced a 6.9 million record exposure is the design of 23andMe's social features. The DNA Relatives feature, when opted into, lets a user see profile information for genetic relatives in the database. 23andMe's December 2023 SEC disclosure attributed approximately 5.5 million additional profiles to DNA Relatives access and approximately 1.4 million more to the Family Tree feature, bringing the total to approximately 6.9 million affected users. The exposed fields varied but included names, birth years, self-reported location, profile photos, ancestry-composition and ethnicity estimates, family-tree relationships, and in some cases health-report information.

23andMe confirmed the breach publicly on 6 October 2023 after a threat actor advertised stolen data on a hacking forum. Datasets were specifically curated and offered for sale targeting people of Ashkenazi Jewish and Chinese descent, priced from $1 to $10 per individual record. The targeting of ethnic groups for sale is what elevated the breach from a routine credential-stuffing incident to a widely-condemned event with civil-rights overtones.

23andMe's breach cost is unusually hard to total because the company entered Chapter 11 bankruptcy in March 2025 before all settlements were finalised. The original $30 million US settlement received preliminary court approval in December 2024; the company later proposed increasing it to $50 million after more than 250,000 valid claims were filed. These figures are reported settlement amounts rather than final court-approved disbursements, and should be read as "proposed" or "preliminarily approved" rather than fully settled.

On 17 June 2025 the UK Information Commissioner's Office announced a £2.31 million penalty against 23andMe for failing to protect the personal information of UK users. The ICO found that the breach affected 155,592 UK residents and that 23andMe lacked adequate authentication and verification controls, with no additional security step required for users to access or download raw genetic data. The investigation, conducted jointly with Canada's privacy regulator, concluded the company's security measures were inadequate for data as sensitive as genetic information.

The final £2.31 million figure was a reduction from the ICO's provisional notice of intent, which had proposed £4.59 million in March 2025. The ICO cited 23andMe's administration and financial status as a significant factor in reducing the penalty, a recurring pattern where regulators scale fines to a distressed company's ability to pay. The penalty notice was notable for focusing on areas of cyber security not always emphasised in ICO actions, including the absence of mandatory multi-factor authentication and the lack of a robust response to early indicators of the attack.

23andMe filed for Chapter 11 bankruptcy protection in March 2025. The breach was not the sole cause; the company had struggled with a declining one-time-test business model and a falling share price for years. But the breach litigation, the regulatory exposure, and the reputational damage to a brand built entirely on trusted custody of the most sensitive data category possible accelerated the decline. In July 2025 the company was reported to have been purchased for $305 million by a nonprofit organisation led by former chief executive Anne Wojcicki.

The California Attorney General subsequently filed suit against the successor entity (operating as Chrome Holding Co.) over the 2023 breach, alleging the company failed to implement reasonable security to prevent and detect credential stuffing, ignored warnings that its systems had been compromised, and made misleading statements. The California complaint cites 855,541 affected Californians and characterises the attacker as having operated undetected in 23andMe's systems for five months. The case underscores that bankruptcy and sale do not extinguish state-AG enforcement exposure, and that the breach's cost continued to accrue against the successor entity well after the original company ceased to exist in its prior form.

The 23andMe breach is the canonical credential-stuffing case study for three reasons. First, the attack required no software vulnerability in 23andMe at all; the attacker simply logged in with valid credentials that users had reused from elsewhere. The single most effective control, mandatory multi-factor authentication, would have stopped almost the entire campaign at the login step. 23andMe made MFA mandatory only after the breach.

Second, the 14,000-to-6.9-million multiplier shows how social and relationship features turn a small account compromise into a mass-exposure event. Any design that lets one authenticated user pull data about other users is a force multiplier for credential stuffing, and the blast radius must be modelled against the worst case rather than the per-account case. Third, the breach demonstrated that genetic and ethnicity data carries a distinct harm profile: it cannot be reset like a password, it implicates relatives who never consented, and it can be curated for targeting of ethnic groups. For genomic and health-data custodians, the case has become the reference point for why authentication, MFA enforcement, and feature-level data minimisation are not optional.