23andMe — credential-stuffing breach

What happened

In October 2023, a threat actor using the handle “Golem” began advertising datasets on BreachForums claiming to contain 23andMe user data. The initial dataset was presented as one million records of users with Ashkenazi Jewish ancestry. Further datasets followed, including a claimed list of profiles for users of Chinese ancestry. The curation of the data by ethnic and racial category was not incidental to the sale; it was the selling point.

23andMe confirmed in October 2023 that the breach had originated from credential stuffing against approximately 14,000 user accounts — roughly 0.1% of its total user base at the time. Credential stuffing uses login credentials leaked in unrelated data breaches at other services, exploiting the reality that a significant proportion of users reuse passwords across multiple accounts. The affected accounts had not enabled 23andMe’s optional two-factor authentication. With those credentials, the attacker gained authenticated access to the accounts as if they were the legitimate users.

The scale of the exposure extended far beyond 14,000 accounts because of how 23andMe’s DNA Relatives feature works. The feature, which users could opt into, used genetic-similarity data to identify likely relatives and shared basic profile information — display names, predicted ancestry, and inferred relationship categories — with other opted-in users in the same predicted family network. The attacker used the 14,000 compromised accounts to systematically harvest all the DNA Relatives data accessible to those accounts: the profiles of every opted-in user connected to any of the 14,000 compromised accounts. The result was data on 6.9 million people — half of 23andMe’s entire user base — from a credential foothold affecting 0.1% of accounts.

23andMe subsequently settled class-action litigation for $30 million. The company filed for bankruptcy in March 2025 and was acquired by a pharmaceutical company. In the months following the initial breach, 23andMe made two-factor authentication mandatory for all users — a control that, had it been required from the outset, would have prevented the credential-stuffing entry entirely.

How it worked

Credential stuffing is mechanically straightforward. Attackers maintain or purchase large datasets of email-and-password pairs assembled from breaches at other services — LinkedIn 2012, Adobe 2013, the billions of credentials available through aggregated breach datasets like Collection #1. They write or acquire automated tooling that systematically tries these pairs against the target service’s login page. For any user who has reused a password from a previously breached service, the attempt succeeds.

23andMe’s login page at the time did not require two-factor authentication, which would require the attacker to also possess the user’s phone or authenticator device in addition to their password. It is not known what rate-limiting or anomaly detection was in place, though the success of the attack against 14,000 accounts implies either that rate-limiting was insufficient to interrupt a systematic campaign or that the attack was conducted at low enough velocity to avoid triggering it.

The DNA Relatives exploitation is the technically interesting and consequential part of the incident. Having authenticated access to a 23andMe account gives the session all the permissions that account has within the platform. The DNA Relatives feature was designed to benefit users by connecting them with potential genetic relatives. Its implementation shared profile data programmatically between accounts based on genetic proximity. An attacker with authenticated access to one account can query all the DNA Relatives data visible to that account. With 14,000 accounts, the attacker could systematically enumerate DNA Relatives data across a graph that connected, transitionally, to nearly 7 million opted-in users.

The data accessible through this route included: display names, predicted relationship categories (first cousin, second cousin, etc.), predicted ancestry percentages by region, and in some cases location information shared by users in their profiles. The attacker assembled these fields into structured datasets. The subsequent curation by ethnicity — specifically selecting for users with high proportions of Ashkenazi Jewish or East Asian ancestry prediction in their 23andMe profiles — was possible because ancestry-percentage data was included in the shared profile fields.

The posting of ethnicity-curated datasets on a criminal forum had an impact beyond the ordinary privacy harm of a credential breach. Genetic ancestry data combined with name and location is sensitive in a way that most personal-data categories are not: it cannot be changed, it implicates family members who may never have consented to genetic testing, and it creates specific risks for communities with historical reasons to be concerned about the targeting of ethnic or religious populations.

Timeline

• Unknown date, 2023 — Attacker assembles or purchases credential datasets from prior breaches and begins credential-stuffing campaign against 23andMe.
• October 2023 — Credential-stuffing achieves successful logins on approximately 14,000 23andMe accounts. Attacker systematically harvests DNA Relatives data accessible to the compromised accounts.
• 1 October 2023 — Golem posts a dataset of approximately one million profiles claimed to be Ashkenazi Jewish users on BreachForums. Additional dataset claimed to be profiles of Chinese users posted subsequently.
• 6 October 2023 — 23andMe publicly acknowledges it is investigating the reports. Company confirms credential stuffing as the access mechanism.
• October–November 2023 — Full scope of 6.9 million affected users established. 23andMe notifies affected users and regulators. Class actions filed in the United States, Canada and United Kingdom.
• November 2023 — 23andMe announces it is making two-factor authentication mandatory for all users — a policy change that would have prevented the credential-stuffing entry had it been in place from the outset.
• December 2023 — ICO and Canadian privacy regulators announce joint investigation. EU data protection authorities also open inquiries.
• 2024 — Settlement negotiations for US class action. UK law firm Pogust Goodhead files group litigation claim on behalf of UK users.
• September 2024 — 23andMe announces $30 million settlement of US class actions.
• March 2025 — 23andMe files for bankruptcy protection. Acquisition proceedings begin.

What defenders should learn

The most important defensive lesson from 23andMe is the concept of social-graph blast radius. The credential-stuffing footprint was 14,000 accounts — 0.1% of users. The data exposure was 6.9 million accounts — roughly 50% of users. The fifty-fold amplification came entirely from the design of the DNA Relatives feature. When a platform feature is built to share user data with other users by default, that feature becomes an amplifier for any compromise. The blast radius of a breach is not determined only by the accounts compromised; it is determined by the permissions those accounts hold and the data those permissions expose. Threat-modelling social-graph and data-sharing features for abuse scenarios — including the scenario in which the sharing user’s account is under attacker control — should be a standard part of feature design review, not an afterthought.

The two-factor authentication failure is both simpler and more fundamental. Credential stuffing only works against accounts protected solely by passwords. It is entirely neutralised by any second factor that the attacker does not possess. 23andMe had optional two-factor authentication available; the approximately 14,000 accounts that were compromised had not enabled it. Making two-factor authentication mandatory, or at minimum making it the default-on setting that users must deliberately disable, would have stopped the initial credential-stuffing entry and prevented the downstream 6.9 million user exposure. The company made 2FA mandatory after the breach. It should have been mandatory, or default-enabled, before it.

The breached-password detection control is the complementary measure. Services that check offered passwords against known-compromised datasets — using tools like the Have I Been Pwned API, which allows checking passwords against billions of known-leaked credentials without revealing the candidate password to the checker — can identify and reject credential-stuffing attempts before they succeed, or at minimum flag affected accounts for remediation. 23andMe’s failure to deploy this control meant the credential-stuffing campaign could proceed against the pool of users who had reused passwords from prior breaches.

The ethnicity-curation aspect raises a design question that goes beyond access controls: should a consumer genetics platform expose ancestry-percentage data through a feature designed for relationship discovery? The DNA Relatives feature’s design goal was to help users find relatives; the ancestry data was incidental but technically exposed through the same API. Separating what data needs to be shared to enable the relationship-discovery use case from what additional data fields happen to be accessible through the same interface is a data-minimisation question that the 23andMe design process apparently did not adequately resolve. The principle is the same as the general one: features should expose the minimum data required to achieve their purpose, and no more.

Finally, 23andMe’s bankruptcy is a reminder that the financial consequences of a major breach — litigation, regulatory fines, remediation costs, reputational damage affecting subscriber retention — can be existential for even a sizable, publicly listed company. The cost of the defensive controls that would have prevented the breach (mandatory 2FA and breached-password detection) is, in any analysis, orders of magnitude less than the cost of the $30 million settlement, the regulatory penalties, and the company value destroyed in the subsequent decline.