Scanning your connection...
Default PrivacyDefault Privacy
Back to Glossary
Data Protection

What is 23andMe Data Breach?

A 2023 data breach at genetic testing company 23andMe that exposed the genetic ancestry data, personal information, and family connections of 6.9 million users — including sensitive ethnic and health-related information.

Also known as: 23andMe Hack, 23andMe Data Leak, DNA Data Breach, Genetic Data Breach

The 23andMe breach exposed something no other breach can — your DNA and genetic ancestry. Unlike a password or credit card, you cannot change your genetic code. This breach made millions of people's most intimate biological information permanently available.

What Happened

  • October 2023: Hackers used credential stuffing to access 14,000 accounts directly
  • Through 23andMe's "DNA Relatives" feature, attackers accessed 6.9 million users' data (friends-of-friends effect)
  • Stolen data was posted on hacking forums, initially targeting users of Ashkenazi Jewish and Chinese descent specifically
  • 23andMe confirmed the breach affected roughly half of all users

What Was Exposed

  • Genetic ancestry information
  • Names and profile photos
  • Birth year and location
  • Family tree connections
  • Percentage-match data between relatives
  • Some users' health predisposition reports
  • Self-reported health conditions

Why Genetic Data Is Uniquely Dangerous

It's Permanent

You can change a password, cancel a credit card, even get a new Social Security number in extreme cases. You cannot change your DNA. This data is compromised forever.

It Identifies Your Family

Your genetic data doesn't just expose you — it exposes every biological relative, including people who never used 23andMe.

It Reveals Sensitive Information

  • Ethnic heritage (the breach specifically targeted ethnic groups)
  • Health predispositions (Alzheimer's risk, cancer markers, carrier status)
  • Family secrets (unknown siblings, non-paternity events)
  • Potential for genetic discrimination by employers or insurers

The Aftermath

  • 23andMe's stock dropped 40% in the months following
  • Multiple class action lawsuits filed
  • Company laid off 40% of staff
  • 23andMe filed for bankruptcy in 2025
  • Questions about who will own the genetic data of 15 million users in bankruptcy proceedings

Lessons

  1. Think before you spit — genetic testing companies now hold the most intimate data possible
  2. Opt out of DNA Relatives and similar sharing features
  3. Use unique, strong passwords — the initial breach was credential stuffing
  4. Enable two-factor authentication on any service holding sensitive data
  5. Request data deletion from genetic testing services you no longer use
  6. Genetic data has no expiration — consider whether the curiosity is worth the permanent risk

Related Terms

Biometric Database

A centralized collection of biometric data (fingerprints, face scans, iris patterns) that once breached cannot be remediated because biometric data cannot be changed.

Data Breach

A security incident where protected, sensitive, or confidential data is accessed, stolen, or exposed by unauthorized individuals. Data breaches can result from hacking, insider threats, lost devices, or misconfigured systems.

Data Broker

A company that collects personal information from various sources, aggregates it into detailed profiles, and sells it to third parties. Data brokers operate largely in the shadows, compiling information about people who often don't know they exist.

Identity Theft

The fraudulent use of someone's personal information — such as Social Security number, credit card details, or login credentials — to commit crimes or financial fraud.

PII (Personally Identifiable Information)

Any data that can be used to identify a specific individual, including name, address, phone number, email, Social Security number, and biometric data.

Have more questions?

Use our guided flow to get the right next privacy step for 23andMe Data Breach.

Open Guided Flow