The Good Tech Companies - What Happens When Hackers Get Your DNA? Ask 23andMe
Episode Date: May 14, 2025This story was originally published on HackerNoon at: https://hackernoon.com/what-happens-when-hackers-get-your-dna-ask-23andme. The 23andMe breach wasn’t a typical ha...ck—it was a feature-level failure with massive implications for genomic data privacy. This deep dive breaks it all down. Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cybersecurity, #23andme-data-leak, #credential-stuffing, #genetic-data-leak-23andme, #23andme-bankruptcy-reasons, #dna-identity-theft-risks, #hackernoon-top-story, #good-company, and more. This story was written by: @sekurno. Learn more about this writer by checking @sekurno's about page, and for more stories, please visit hackernoon.com. DNA testing company 23andMe suffered a data breach in late 2023. The breach exposed deeply personal insights that are impossible to reset. It shattered assumptions about consumer genetics platforms and ignited regulatory scrutiny.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
What happens when hackers get your DNA? Ask 23andMe, by Sokerno
In late 2023, DNA testing company 23andMe disclosed a breach that compromised the personal
and genetic data of millions of users, 1. Unlike a typical cyber-security incident involving
passwords or payment information, this attack exposed deeply personal insights, ancestry details, genetic markers, family connections,
that are impossible to reset.
This breach was a turning point in the digital health and biometric era.
It cited assumptions about consumer genetics platforms, revealed the cascading risks of
weak authentication, and ignited regulatory scrutiny around the world.
Most importantly, it showed what happens when genomic data, an immutable digital fingerprint, is left vulnerable.
The breach did not occur in isolation. 23andMe had long struggled to build a sustainable business model.
After going public, it failed to turn a profit, relying heavily on one-time kit sales without building strong recurring revenue streams. Its attempt to pivot into therapeutics also failed to
gain traction. These structural issues created a fragile foundation, one that left the company
especially vulnerable when the breach occurred. The attack became a final blow, compounding
legal, reputational, and operational pressures that had already been mounting. This report offers a full examination of the 23andMe breach.
What happened, how the attackers exploited design weaknesses, the scope and sensitivity
of the data exposed, the regulatory and legal consequences, comparisons with other biotech
incidents, and actionable lessons for anyone safeguarding biometric or genomic data.
1.
What happened? Timeline, method, and exposure.
Credential stuffing a T-scale in October 2023, a hacker calling themselves, Gollum, began
leaking datasets allegedly stolen from 23andMe accounts, too. The data was categorized by
ethnic group, initially Ashkenazi Jewish and Chinese users, indicating a possible intent
to target specific populations, 3.
The leak eventually expanded to include over 6.9 million profiles, 1.
Unlike a traditional exploit of infrastructure, this breach relied on credential stuffing.
The automated injection of breached username-password combinations from other platforms into 23
in Mi's login portal.
Roughly 14,000 accounts were directly accessed, but each account's participation in the
DNA relatives feature allowed the attacker to scrape the profile data of millions of
related users, for
Timeline of events April-September 2023
Credential stuffing attack launched, slowly compromising thousands of accounts. October 2023.
Reddit post reveals 23andMe user data being sold on the dark web.
October 2023-23andMe publicly discloses the breach.
October 2023.
A class action lawsuit is filed.
November 2023 to 40% workforce reduction.
October 2024
$30 million legal settlement, mostly covered by cyberinsurance
April 2024 CEO Ann Wojcicki proposes taking the company private, rejected by the board
September 2024 Entire board resigns due to strategic disagreements
March 2025 to 23 and Me files for Chapter 11 Bankruptcy
and Wojcicki steps down. March 2025-23 Inmi has proposed an auction for the sale of its
assets, 6.. Notably, this bankruptcy filing doesn't involve immediate liquidation, as
in Chapter 7, but rather a strategic attempt to restructure the company's debt and potentially sell off business units while maintaining limited operations.
Aspart of this process, it has been reported that sensitive data infrastructure could be auctioned, raising new concerns about the fate of user DNA data.
What was leaked the breach exposed both direct user account data and connected profile data, including full names, usernames,
profile photos. Genetic Ancestry reports, haplogroup information, birth years, locations,
family surnames, ethnicity percentages and geographic origin data, connections to relatives
via DNA relatives. While initially believed to exclude raw genetic files, later disclosures
confirmed that some health reports and raw genotype data had been downloaded before 23andMe disabled Access, 5.
By early 2025, as part of its Chapter 11 proceedings, 23andMe announced plans to auction off corporate
assets, including potentially sensitive user data-or related infrastructure, 6.
This move sparked renewed criticism from privacy advocates concerned
that genomic data could be sold as part of a bankruptcy process.
2. Genomic Privacy and the Permanence Problem The breach ignited new fears over genetic
identity theft, a risk that's qualitatively different from traditional PEE leaks. DNA
data is not just unchangeable, it is inherently social. A person's genetic profile also reveals information about their relatives, ethnic group, and potential
health predies positions.
Weaponization of genetic data by labeling and segmenting datasets by ethnicity, e.g.
Chinese, Ashkenazi Jewish.
Attackers introduced the potential for genetic data to be used for racial profiling or targeted
harassment. Experts noted the possibility of this data being used to identify individuals
or families from genealogy data. Target ethnic minorities with hate speech or misinformation.
Reveal hereditary disease risks or stigmatizing traits. This breach made abstract concerns
about genomic privacy painfully real. 3.
Dark Owl revealed that the breach was first advertised on Hydra Market in August 2023
by a user named DOSBog, who claimed to possess over 300 terabytes of DNA data for sale, targeting
ethnic groups and geographies like Ashkenazi Jews, Chinese, and UK-linked individuals.
Later, a threat actor known as Golem released portions of the data on Telegram and Breach
forums, some of it allegedly timed in response to the October 7 Israel-Gaza conflict.
This suggests not only a financial motive but also a geopolitical one, where genetic
data was deliberately weaponized top-revoke tension and in-site harm, 14.
But the risks extend even further.
Once your DNA is leaked, it can't be change.
It's a permanent identifier, and that opens the door to much darker misuse top 5 threats
of genetic data misuse.
1. Biometric Identity Theft, Impersonation, DNA used to forge identities in biometric
systems, irreversible and uniquely tied to you.
2. Framing or incrimination via DNA planting, genetic evidence can be fabricated and planted
at crime scenes, leading to false accusations.
Greater than real-world example, in 2009, Israeli scientists from Nucleix published
a greater-than-paper titled Fabricating DNA Evidence, proving that fake DNA could be greater
than created using a real profile and standard lab equipment, enough to pass greater than forensic authentication.
Targeted bioweapons Biological weapons could theoretically be designed
to exploit specific genetic vulnerabilities in individuals or ethnic populations.
Familial exposure and privacy breach. Your genome contains sensitive information about your relatives, none of whom may have
consented to its exposure.
5.
Genetic discrimination by insurers and employers.
Individuals could face denial of coverage, increased premiums, or lost job opportunities
based on genetic predispositions, even in regions with legal protections.
.
Long-term implications just as the 2015 OPM breach raised concerns
about the future misuse of stolen fingerprints, 13, the 23andMe incident raises a chilling
prospect.
What could adversaries do with stolen genetic data 5 or 10 years from now?
From personalized social engineering attacks to discriminatory profiling, the potential
uses are only beginning to emerge.
The leak also undermines consumer trust in biotech.
If users lose faith in AppLatform's ability to safeguard their DNA, they may abandon it altogether, stalling genetic research and commercial diagnostics.
3. Why security controls failed?
The 23andMe breach wasn't a case of a sophisticated
intrusion through technical zero days. It was a failure of basic security hygiene and
feature design. Authentication and monitoring weaknesses the attackers used credential stuffing
to gain access. While users bear some blame for password reuse, the platform failed to
enforce two-factor authentication, 2FA, by default until after the breach, 4.
Key gaps included 2FA was optional, not mandatory.
Login attempts from unusual IPs or behaviors went undetected for months.
There were no apparent safeguards against automated scraping once logged in.
The breach persisted for five months, from April to September 2023, without triggering
effective alarms.
5.
Abuse of DNA relatives feature The attackers didn't exploit a vulnerability.
They used the system exactly as intended.
The DNA relatives feature let users view data about genetically related individuals.
Once an attacker accessed a single account, they could systematically scrape information from hundreds or even thousands of genetic matches.
This wasn't just a breakdown in authentication. It reflected a failure to anticipate how product
features could be weaponized, especially in volatile geopolitical contexts.
The breach coincided with heightened tensions in the Israel-Palestine conflict and disproportionately
affected individuals identified as Ashkenazi Jewish or Chinese, raising questions about motive
and intent.
While there's no conclusive proof of nation-state or hacktivist involvement, the targeting of
specific ethnic groups suggests a calculated interest in identity-based data.
It's a reminder that risk isn't static.
Just as rare earth elements became strategically valuable with the rise of semiconductors,
the value of certain data sets can spike in response to world events, and so can the motivation
to exploit them.
4.
Legal and regulatory consequences.
The scale and nature of the 23andMe breach sparked immediate legal repercussions and
intensified regulatory scrutiny, especially given that genetic data is treated as sensitive
personal data under laws like GDPR, CCPA, and various state-level biometric privacy statutes.
Lawsuits and settlements within weeks of the breach becoming public,
23 and me faced multiple class action lawsuits in the U.S., alleging negligence, breach of contract,
and failure to protect sensitive health data.
Plaintiffs argued that the company had failed to implement basic protections such as mandatory MFA and effective monitoring systems, 5. By March 2024, the company agreed to a $30 million settlement
to resolve a consolidated class action. While 23andMe did not admit wrongdoing,
the settlement required them to introduce sweeping reforms, including mandatory two-factor authentication for all users.
Regular cybersecurity audits, clear deletion policies for inactive accounts, enhanced breach notification protocols,
federal and state regulatory SCRUTINY the Federal Trade Commission, FTC, had already taken action against another DNA testing company,
One Health, Vitagene, for deceptive practices and lacked security in 2023-6.
That case set a precedent.
Genetic testing companies can be investigated under the FTC Act for unfair or deceptive
data practices, especially when consumers are misled about how their DNA will be used
or stored.
Following the breach, California's Attorney General emphasized the importance of genomic
privacy and recommended that consumers review their account settings and data-sharing preferences.
7.
If 23 in Mies European customers were affected, regulators under the General Data Protection
Regulation, GDPR, may also intervene, genetic data is classified under
GDPR as a, special category, requiring explicit consent and extra protections.
A breach involving such data could trigger fines of up to 4% of global revenue.
TOS controversy in the wake of the breach, 23andMe controversially updated its terms
of Serviceto prohibit class action lawsuits,
pushing users into individual arbitration. Critics, including digital rights groups,
accused the company of trying to limit legal accountability. The FTC had previously warned
in other cases that retroactive changes to privacy terms without user consent could themselves
be grounds for enforcement.
6. 5. Reputational fallout and industry comparisons.
Trust lost, brand damaged for a company like 23andMe.
Built on consumer trust, the damage was existential.
Users entrust genetic testing firms with their most personal data, and any breach can provoke
lasting fear and backlash.
In this case, the fallout was swift and severe.
In March 2025, less than two years after the breach,
23andMe filed for Chapter 11 bankruptcy, citing a collapse in consumer demand and a reputational
hit it couldn't recover from, 7. The company's market value had dropped over 99% from its peak,
and attempts to sell the business failed. Though other market factors were at play,
including the saturation of direct-to-consumer
testing, the breach is widely seen as a triggering event that eroded customer loyalty and business
viability.
Other biotech breaches.
Lessons from peers The 23andMe incident is part of a growing pattern MyHeritage, 2018.
A breach exposed 92 million email-password combinations, though genetic data was not
leaked thanks to segregated systems.
9.
DNA Diagnostics Center, 2021.
Exposed social security numbers and test records for 2 million users due to legacy system failures.
11.
GEDmatch, 2020.
Privacy settings were reset in a breach that exposed genetic data to law enforcement searches
without user consent.
Ancestry's Rootsweb, 2017, user credentials leaked through a misconfigured server, though
no genetic data was compromised, 10.
The key pattern?
Credential-based breaches and weak privacy controls repeated liable mass data exposure.
The 23andMe breach stands out for the scale of its genomic exposure
and its long-term business consequences.
6. 23andMe Breach. Lessons and security recommendations. The 23andMe breach underscores a pattern cyber
security teams must address, feature abuse, weak authentication, and excessive trust in
interconnected systems. This wasn't a classic perimeter breach.
It was a failure to anticipate how legitimate features
and authenticated access could be turned
against the platform.
Key security takeaways mandate MFA
by default optional two-factor authentication
doesn't meet the threat model of consumer genomics.
Platforms handling sensitive data must enforce MFA
for all users, not just as a best practice,
but as a formal requirement under OWASPASVS 2.1.3 Level 3 model for feature abuse not just
exploits DNA relatives wasn't vulnerable, in the traditional sense, but became a powerful
data harvesting tool after account takeover. Security reviews must include abuse case threat modeling, not just code audits.
Detect anomalous behavior and limit overuse the attackers operated slowly and quietly.
Behavioral monitoring and granular rate limiting are essential for catching, low and slow,
attacks that bypass basic alerting.
Encrypt and segment critical data assets MyHeritage avoided deeper fallout in 2018 because DNA
data was logically separated and encrypted.
23andMe's architecture exposed too much once authenticated.
Access control must extend beyond login.
.
Practice data minimization by design retention policies shouldn't wait for litigation.
Deleting dormant
accounts and minimizing data collection reduces blast radius and aligns with modern privacy
principles. Detection lag is a threat multiplier it took over 5 months for 23andMe to detect the
breach. That's 5 months of unchecked data exfiltration, long after the breach had gone
public on criminal forums.
Cyber insurance doesn't guarantee survival even though 23andMe's policy reportedly covered $25 million of a $30 million legal settlement, it couldn't salvage the brand or stop the downward
spiral. Insurance is not a substitute for security. Own the narrative during incident response pointing fingers at users' damaged trust.
A strong response requires clear communication, visible change, and a shared sense of accountability.
For a closer look at what 23andMe actually fixed in the aftermath, Dmitriy Myornikov
breaks it down here.
Conclusion The 23andMe breach will be remembered not
just for what was exposed, but for what it revealed, the fragility of trust in platforms
built on personal identity data.
Unlike breaches at Equifax or Anthem, this one touched genetic identity, information
that cannot be changed, revoked, or easily re-secured.
To be clear, the breach didn't single-handedly sink the company.
It was the final blow in a longer unraveling.
Stock performance had already been declining, and the incident amplified broader concerns
about platform safety, business viability, and long-term public trust.
There are deeper, structural lessons here, too.
Cyber insurance didn't save the company.
The reputational damage was too great, and the pivot to drug development failed.
Strategic execution couldn't keep up with investor expectations. Fundamentally, a one-time
DNA test isn't a sustainable business model. Without recurring value, even the most sensitive
data becomes a commodity. The breach wasn't caused by a single bug or exploit. It was
the product of systemic design choices that prioritized access over restraint. In the age of genomic and biometric data, cybersecurity must evolve
beyond perimeter controls. It must protect relationships between datasets, not just the
data itself. For biotech companies, security can no longer sit in the back end. It must
be woven into architecture, user experience, and data governance
from day one. Because in genomics, trust isn't a value add, it's the entire value proposition.
And once it's broken, there may be no way to get it back.
Data breaches are evolving. Is your security strategy keeping up? A check the box pen test
won't cut it if you're handling genomic or health data. SecurNo delivers real-world threat modeling, OWASP-driven testing, and compliance-aligned
reports built for HIPAA, FDA, and MDR environments.
End right-pointing arrow book Your biotech pen test today references.
1.
Wikipedia 23 and Me data leak.
2.
Archive, analysis of credential stuffing in 23 and Me. Leak, 2. Archive, Analysis of Credential Stuffing in 23andMe, 3.
EFF, What to do if you're concerned about the 23andMe breach, 4.
Risk Strategies, Understanding the 23andMe breach and ensuring cyber security, 5.
Bleeping Computer 23andMe to pay $30 million in genetics data breach settlement. 6.
Bloomberg Law 23 and me demise puts 15 million users DNA info on auction block.
7.
Reuters 23 and me files for Chapter 11 bankruptcy to sell itself.
8.
FTC1 Health, Vitagene, failed to protect DNA data, changed privacy terms.
9.
The Verge, MyHeritage confirms 92m user accounts compromised,
10. TwinGate, Ancestry data breach via Rootsweb, 11. TechTarget, DNA Diagnostic Center reaches
$400,000 settlement after data breach, 12. OWASPASVS, Authentication requirements, 2.
OWASPASVS, Authentication Requirements, 2.1.3.13, Reuters 56 million fingerprints stolen in OPM breach, 14.
DarkOwl23 in Me Suffers Data Breach.
Thank you for listening to this Hacker Noon story, read by Artificial Intelligence.
Visit HackerNoon.com to read, write, learn and publish.