In October 2023, 23andMe confirmed that a hacker had accessed the genetic profiles of nearly 7 million people through a months-long credential stuffing attack. The information exposed was unlike anything seen in previous data breaches: not just names and email addresses, but DNA ancestry results, ethnicity estimates, health predisposition reports, and family tree connections. For many users, the information exposed cannot be changed the way a password or credit card number can.
The story did not end with a settlement and a security overhaul. In March 2025, 23andMe filed for bankruptcy, triggering a separate crisis over what would happen to the genetic data of more than 15 million customers. The two events together make this one of the most consequential data incidents in recent memory.
How the 2023 Breach Happened
The breach began not with a hack of 23andMe’s own systems, but with stolen credentials from other services. Starting on April 29, 2023, and continuing for approximately five months, a threat actor fed usernames and passwords from previously breached websites into 23andMe’s login page until matches were found. This technique, called credential stuffing, works because many people reuse the same passwords across multiple services. A fact our research into password habits confirmed.
23andMe did not require two-factor authentication at the time, and its password policy required a minimum of only eight characters with minimal complexity requirements. The company’s detection systems also failed to flag the sustained, large-scale login attempts as suspicious. In July 2023, 23andMe investigated an unusual spike of 400 attempted profile transfers but dismissed it as an isolated incident rather than recognizing it as part of a broader attack.
In August 2023, a claim posted to Reddit alleging that over 10 million user records had been stolen was dismissed by 23andMe as a hoax. It was not a hoax. A second wave of intensive credential stuffing followed in September. The company did not begin a full investigation until October 2023, when an employee discovered that stolen data had been advertised for sale on Reddit.
How 14,000 Compromised Accounts Became 6.9 Million
Through direct credential stuffing, attackers accessed approximately 14,000 accounts, representing less than 0.1 percent of 23andMe’s roughly 14 million customers. But 23andMe offered an opt-in feature called DNA Relatives, which allowed users to share profile information with others who matched as genetic relatives. Once inside 14,000 accounts, the attacker used those accounts to scrape the DNA Relatives profiles connected to them, ultimately pulling data from approximately 5.5 million additional users.
Another 1.4 million users had their Family Tree profiles accessed through the same mechanism. The Family Tree feature shares a more limited set of information: display names, relationship labels, and in some cases geographic location and birth year. In total, approximately 6.9 million individuals had their data stolen, nearly half of 23andMe’s customer base at the time.
>> Learn More: The Data Big Tech Companies Have on You
What Was Exposed
The type of data involved in the 23andMe breach is what sets it apart from most other incidents. For users whose accounts were directly accessed, exposed information could include:
- Genetic ancestry results, including ethnicity estimates and haplogroup data
- Health predisposition reports, carrier status reports, wellness reports, and pharmacogenetics data
- Raw genotype data for some users
- Self-reported health conditions
- Names, birth years, profile photos, and self-reported locations
- Family surnames, grandparent birthplaces, and family tree connections
- Percentage of DNA shared with genetic matches and predicted relationships
For users whose DNA Relatives profiles were scraped but whose accounts were not directly compromised, the exposed data was limited to information they had chosen to share through that feature, which varies by user but could include names, profile photos, ancestry composition, and family tree details.
Incogni’s data removal service scans the internet for your personal information and sends removal requests to have it taken down.
Why Genetic Data Is Different
Unlike a stolen password or credit card number, genetic information cannot be changed. It is permanent, it reveals information not only about the individual but about their biological relatives, and it carries risks that are difficult to fully anticipate. Exposed genetic data can be used to infer predispositions to certain health conditions, to identify family relationships without the knowledge or consent of relatives who never agreed to share their data, and in the worst case, to enable discrimination or targeting based on ethnic heritage.
The 23andMe breach highlighted a specific dimension of that risk. The hacker, operating under the alias Golem on BreachForums, published the stolen data in lists curated by ethnicity. One batch was advertised explicitly as a list of Ashkenazi Jewish users; another as a list of people of Chinese descent. The data was offered for sale at $1 to $10 per individual account profile. A subsequent class action lawsuit alleged that 23andMe failed to notify customers of Chinese and Ashkenazi Jewish heritage that their profiles had been bundled into targeted ethnic lists and placed on the dark web.
>> Check Out: The Best Identity Theft Protection Services With Dark Web Monitoring
Breach at a Glance
| Detail | Information |
|---|---|
| Attack type | Credential stuffing (no breach of 23andMe systems) |
| Attack period | April 29, 2023 through approximately October 2023 (approx. 5 months) |
| Accounts directly accessed | ~14,000 (less than 0.1% of users) |
| Total individuals affected | ~6.9 million (nearly half of 14M customer base) |
| US customers affected | ~6.4 million |
| UK customers affected | ~155,600 |
| Canadian customers affected | ~320,000 |
| Data exposed | Ancestry results, health predispositions, ethnicity estimates, raw genotype data (some), family tree connections, names, birth years, locations |
| Data sold for | $1 to $10 per profile |
| Discovered | October 2023, when stolen data appeared for sale on Reddit |
| Settlement | $30 million (final court approval January 30, 2026); increased to $50M proposed post-bankruptcy |
| Bankruptcy filed | March 23, 2025 (Eastern District of Missouri) |
| Company sold to | TTAM Research Institute (led by co-founder Anne Wojcicki) for $305 million, approved July 2025 |
PowerSchool noted that fewer than 25 percent of registered students had Social Security numbers stored in the affected system. However, given the total scope of the breach, even that fraction represents a very large number of children. The exposure of SSNs for minors is particularly serious because child identity theft regularly goes unnoticed until they apply for credit or student loans years later.
Legal and Regulatory Fallout
Class Action Lawsuits
In October 2023, impacted users filed the first class action lawsuit in California alleging negligence, breach of implied contract, invasion of privacy, and unjust enrichment. A separate lawsuit filed in January 2024 specifically alleged that 23andMe had failed to notify customers of Chinese and Ashkenazi Jewish heritage that their data had been curated into targeted ethnic lists. More than 40 class action cases were eventually consolidated before Judge Edward M. Chen in the Northern District of California.
23andMe agreed to a $30 million settlement in September 2024 to resolve the consolidated litigation. The settlement received final court approval on January 30, 2026, after being moved into bankruptcy court following the company’s March 2025 bankruptcy filing. After the bankruptcy sale freed up additional assets, 23andMe proposed increasing the settlement fund to $50 million, pending a new court approval.
Payouts to individual class members are tiered:
- Up to $10,000 for documented out-of-pocket losses, including identity repair costs, security purchases, or mental distress treatment
- Up to $165 for users notified that their health data was affected
- An additional $100 for users in Alaska, California, Illinois, or Oregon during the breach period
- Five years of free identity theft protection, dark web monitoring, and genetic anomaly detection services for all eligible class members
FYI: While the claim deadline passed in February 2026, payments are not expected to be disbursed quickly given the ongoing bankruptcy proceedings.
UK and Canadian Regulatory Investigations
In June 2024, the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced a joint investigation into the breach. Their findings, published in 2025, concluded that 23andMe had failed to implement appropriate security measures, including mandatory multi-factor authentication and adequate password requirements. The investigation also found that 23andMe’s detection systems had missed clear warning signs of the credential stuffing attack for months.
The ICO fined 23andMe £2.31 million for failing to protect the data of 155,592 UK residents. The ICO’s investigation found that once an account was accessed, 23andMe had no additional verification measures in place to protect sensitive information including raw DNA data from being downloaded. The company’s password policy, requiring a minimum of eight characters, did not meet ICO guidance recommending at least ten characters.
A separate $3.25 million (Can$4.49 million) settlement was proposed to resolve the Canadian class action, covering approximately 300,000 affected Canadians.
23andMe’s Contested Response
23andMe’s initial public response drew considerable criticism. The company framed the breach as a result of users failing to update passwords that had been compromised in other breaches, rather than focusing on its own failure to require two-factor authentication or detect the months-long attack. Critics pointed out that this defense, if accepted in court, would shift responsibility from the company to customers who had no way of knowing their credentials were being tested against 23andMe’s platform.
In December 2023, 23andMe also updated its terms of service to make class action lawsuits against the company more difficult, giving users 30 days to opt out of the new arbitration clause. The update was criticized as an attempt to limit its legal exposure in the wake of the breach.
Did You Know: All of the best password managers tell you if your credentials are secure. Don’t have a password manager? Use our Password Strength Checker to ensure it’s not easy to guess.
The Bankruptcy and the Question of Your DNA
23andMe filed for Chapter 11 bankruptcy protection on March 23, 2025, in the Eastern District of Missouri. The company’s financial decline had been accelerating since the breach. Its stock, which had peaked at over $350 per share following a 2021 SPAC merger, had fallen below $1.30 by early March 2025.
The bankruptcy raised an immediate and novel question: What would happen to the genetic data of more than 15 million customers? Customer data is legally considered a company asset that can be sold to satisfy debts in bankruptcy. 23andMe’s privacy policy stated that in a merger, acquisition, or bankruptcy, it would continue to apply the same security practices, but the policy also noted that these practices could be changed.
An initial bankruptcy auction resulted in a $256 million winning bid from Regeneron Pharmaceuticals, a drug development company. More than two dozen state attorneys general sued to block the Regeneron deal, arguing that genetic data is fundamentally different from ordinary assets and that its sale to a pharmaceutical company posed unacceptable risks to customers. The auction was reopened in June 2025.
In July 2025, the bankruptcy court approved the sale of 23andMe’s assets, including its genetic database, to TTAM Research Institute, a nonprofit organization established by 23andMe co-founder and former CEO Anne Wojcicki. TTAM’s winning bid was $305 million. TTAM pledged to maintain existing privacy policies, continue allowing customers to delete their data, and use the genetic database for medical research rather than commercial pharmaceutical development. The company was subsequently renamed ChromeCo, Inc.
The Regulatory Gap
The 23andMe bankruptcy exposed a significant gap in US law. HIPAA, the primary federal health privacy law, does not apply to direct-to-consumer genetic testing companies that are not covered by healthcare entities. California’s Genetic Information Privacy Act gives customers the right to delete their identified genetic data, but federal laboratory regulations require that de-identified genetic data be retained for regulatory purposes regardless. There is currently no comprehensive federal law governing what companies like 23andMe can do with genetic data in a bankruptcy or acquisition.
Why Genetic Data Deserves a Higher Standard of Protection
Most data breaches expose information that is inconvenient to have stolen: passwords can be changed, credit cards can be cancelled, email addresses can be monitored. Genetic information cannot be changed, ever. It reveals not just who you are but who your relatives are, what health conditions you may be predisposed to, and where your family comes from. Once that information leaves a secure system, the potential consequences extend to family members who never agreed to share their own data.
One practical step you can take is reducing how much of your personally identifiable information is accessible to data brokers and aggregators, who compile and sell profiles that can be used to target individuals with phishing attempts or social engineering attacks. A service like Incogni automates removal requests to those databases, limiting the amount of personal context available to anyone seeking to exploit breach data.
FYI: Sadly, the best data removal services can’t protect your genetic information. They can reduce your broader data footprint, making you a harder target.
How to Check if You Were Affected and What to Do
Check Your Email and Have I Been Pwned
23andMe notified affected customers by email. If you were a 23andMe customer between May 1, 2023, and October 1, 2023, and received a notification that your information was compromised, you were eligible for the class action settlement, though the February 17, 2026 claim deadline has now passed. You can also enter your email at haveibeenpwned.com to check whether your address has appeared in any known breach datasets.
>> Find Out: What Can Someone Do With Your Address?
Delete Your 23andMe Data
Given the company’s bankruptcy and acquisition, many users have chosen to delete their genetic data and close their accounts. 23andMe and its successor entity TTAM have stated that users can continue to delete their data at any time. Deleting your account removes your identified personal information and genetic data from the platform.
FYI: Federal laboratory regulations require retention of de-identified genetic data for a period, which means some information may be retained in anonymized form even after account deletion.
Update Passwords and Enable Two-Factor Authentication
If you used the same password on 23andMe that you use on other services, change it. Use our password generator to create a unique, strong password for each service, and enable two-factor authentication wherever available. The 23andMe breach succeeded precisely because users had reused passwords from other breached services, and credential stuffing attacks continue to be one of the most common ways accounts are compromised.
Monitor for Targeted Phishing
If your ethnicity or health data was among the information exposed, be alert to targeted phishing attempts that may reference your genetic background or health conditions in an attempt to appear legitimate. Never click links or open attachments in unsolicited emails that claim to be from 23andMe or any health-related service.
>> Check Out: What Are Phishing Text Messages?
Frequently Asked Questions
-
What data was stolen in the 23andMe breach?
The breach exposed data from approximately 6.9 million users, including genetic ancestry results, ethnicity estimates, health predisposition reports, carrier status reports, wellness reports, raw genotype data for some users, family tree connections, names, birth years, profile photos, and self-reported locations. The specific data exposed for each user depended on what they had chosen to share through the DNA Relatives and Family Tree features.
-
Was 23andMe's system hacked directly?
No. 23andMe’s own systems were not breached. The attacker used credential stuffing, feeding usernames and passwords stolen from other previously breached websites into 23andMe’s login page until matches were found. The attack succeeded because many users had reused credentials from other services, and because 23andMe did not require multi-factor authentication or have adequate detection systems to flag the sustained login attempts.
-
What happened to the 23andMe class action settlement?
23andMe agreed to a $30 million settlement to resolve more than 40 consolidated class action lawsuits. The settlement received final court approval on January 30, 2026. After 23andMe’s bankruptcy and sale, the company proposed increasing the fund to $50 million. US residents who were 23andMe customers between May 1, 2023, and October 1, 2023, and received notice that their information was compromised were eligible to claim, though the February 17, 2026 deadline has passed. Payouts ranged from $100 in statutory claims up to $10,000 for documented losses, plus five years of free genetic monitoring services.
-
What happened to 23andMe after the breach?
23andMe filed for Chapter 11 bankruptcy on March 23, 2025. The company was sold to TTAM Research Institute, a nonprofit led by co-founder Anne Wojcicki, for $305 million in a July 2025 bankruptcy court approval. The sale was approved over objections from more than two dozen state attorneys general who had sought to block an earlier deal with Regeneron Pharmaceuticals. The company was subsequently renamed ChromeCo, Inc. TTAM pledged to maintain existing privacy policies and continue allowing users to delete their data.
-
Should I delete my 23andMe account?
That is a personal decision, but many privacy experts and attorneys general advised customers to delete their data during the bankruptcy process. 23andMe and the new owner TTAM have stated that users can delete their accounts at any time and that their identified genetic and personal data will be removed. De-identified genetic data may be retained for regulatory compliance purposes. If you are concerned about your data being used in ways you did not originally consent to, logging in to your account settings and submitting a deletion request is the clearest step available to you.