Anatomy of a Breach

Anatomy of a Breach: 23andMe — When Credential Stuffing Exposed Genetic Data and Family Relationships

> series: anatomy_of_a_breach —— part: 178 —— target: 23andme —— accounts: 6,900,000 —— data: genetic_ancestry_family_relationships<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2023 14 min read
23andme genetic-data dna credential-stuffing ancestry immutable-data series
Breach #178

6.9 million users' genetic data. Ancestry. Family connections. DNA is data. And data gets breached.

In October 2023, 23andMe disclosed that attackers had used credential-stuffing — testing reused passwords from other breaches — to access approximately 14,000 customer accounts directly. But the true impact was far larger: the attackers used 23andMe's 'DNA Relatives' feature (which connects users with genetic matches) to scrape the ancestry and relationship data of approximately 6.9 million connected users who had opted in to the feature. The exposed data included ancestry reports, ethnicity percentage estimates, birth years, geographic locations, and family relationship connections.

The stolen data was initially posted on hacking forums — with some listings specifically targeting ethnic groups, raising concerns about the potential for ethnic profiling or discrimination using genetic data. 23andMe subsequently filed for bankruptcy in 2024, and the fate of its genetic database — containing the DNA data of approximately 15 million customers — raised additional concerns about what happens to sensitive genetic data when the company holding it ceases to exist. The breach proved that genetic data — the most personal, permanent, and immutable category of personal data — is subject to the same credential-stuffing vulnerabilities as any other online service.

DNA as Data
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Genetic data cannot be changed. Once compromised, it is compromised forever.

The Most Immutable Data Category
Passwords can be reset. Credit cards can be reissued. Even biometric data (fingerprints, facial recognition) has limited reuse vectors. But genetic data is permanent, immutable, and shared with biological relatives — a compromise affects not just the individual but their entire family line. The 23andMe breach established genetic data as the ultimate category of irrecoverable personal data.
Credential Stuffing — Collection #1's Legacy Continues
The initial compromise used credential stuffing — reused passwords from <a href="/blog/anatomy-of-a-breach-collection-1">Collection #1</a> and other dumps. MFA would have prevented all 14,000 initial account compromises. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA — the control that protects even when passwords are reused.
Opt-In Feature Amplified the Breach 500x
14,000 directly compromised accounts led to 6.9 million users' data being scraped through the DNA Relatives feature — a 500x amplification. Opt-in social and sharing features can dramatically amplify the impact of credential compromise. Our <a href="/penetration-testing/web-application">application testing</a> assesses how social features amplify breach impact.
What Happens to Data When Companies Die?
23andMe's bankruptcy raised the question: who controls 15 million people's genetic data when the company ceases to exist? For organisations collecting sensitive data, data governance — including plans for data in the event of business failure — is an essential consideration. <a href="/cyber-essentials">Cyber Essentials</a> and GDPR require data minimisation and defined retention policies.
Lessons

Genetic data demands the highest security for the most permanent data.

The 23andMe breach proved that genetic data — despite being the most sensitive, permanent, and personal category of data — was protected by the same password-based authentication as any other consumer service, and was vulnerable to the same credential-stuffing attacks that have appeared in this series since 2016. Cyber Essentials mandates MFA. Our application testing assesses authentication controls and social feature amplification. SOC in a Box monitors for credential-stuffing patterns. And UK Cyber Defence provides incident response when sensitive data categories are compromised.

Protect the Permanent

Genetic data cannot be changed. Ever. 23andMe proved even DNA gets breached through reused passwords.

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="/penetration-testing/web-application">Application testing</a> assesses authentication. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects credential stuffing.

Commission a Security Assessment Next: ICBC LockBit
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2025

Anatomy of a Breach: 16 Billion Credentials Leaked — The Infostealer Aggregation That Dwarfed Collection #1

Breach #203. In mid-2025, researchers uncovered 30 exposed datasets containing more than 16 billion login credentials — including passwords for Google, Apple, Facebook, Telegram, GitHub, and government services. The datasets were not from a single breach but from a massive aggregation of credentials stolen by infostealer malware and compiled from earlier breaches. The compilation dwarfed Collection #1's 773 million credentials (2019) by a factor of twenty. While no single platform was breached, the aggregation itself was as dangerous as any individual breach — enabling industrial-scale credential stuffing and account takeover against every platform on the internet.

credential-leak 16-billion
13 min read
Anatomy of a Breach 31 December 2023

Anatomy of a Breach: 2023 Year in Review — MOVEit, Royal Mail, Scattered Spider, and DNA as Data

Breach #180 and the 2023 finale. The year MOVEit's SQL injection compromised 2,500 organisations and 60 million people, Royal Mail's international post was halted by LockBit, Scattered Spider social-engineered MGM and Caesars for $100 million+, 3CX proved supply chain attacks cascade from supply chain attacks, Barracuda told customers to replace not patch their compromised appliances, the UK Electoral Commission lost 40 million voters' data for two years, 23andMe proved genetic data gets breached too, and ICBC — the world's largest bank — settled US Treasury trades via USB stick after LockBit. Fifteen years of this series. SQL injection is still the dominant vulnerability. Social engineering is still the dominant technique. Patching is still the dominant defence. The root causes have not changed.

year-in-review 2023
16 min read
Anatomy of a Breach 30 April 2020

Anatomy of a Breach: Zoom — The Video Platform the World Adopted Overnight and Its Security Reckoning

Breach #136. In April 2020, Zoom — which had surged from 10 million daily meeting participants in December 2019 to over 300 million in April 2020 — faced a security reckoning. 'Zoombombing' (uninvited participants disrupting meetings) became widespread. Security researchers discovered that Zoom's claimed 'end-to-end encryption' was not actually end-to-end. Meeting recordings were discovered publicly accessible on the internet. And over 500,000 Zoom credentials were found for sale on the dark web, obtained through credential-stuffing attacks. The platform that became essential overnight had security practices that had not kept pace with its explosive growth.

zoom zoombombing
12 min read
All Posts Get in Touch