In 2023, **23andMe** suffered a **credential stuffing attack** where cybercriminals exploited recycled login credentials from prior breaches to infiltrate ~14,000 user accounts. Due to the company’s **DNA Relatives** and **Family Tree** features—linking users via genetic data—the breach escalated, exposing **6.9 million profiles** (5.5M DNA Relatives + 1.4M Family Tree records). The attack stemmed from **weak password policies**, lack of **rate-limiting on login APIs**, and **password reuse** by users. Regulatory fallout included a **£2.31 million fine** (2025) from the UK’s **Information Commissioner’s Office (ICO)** for failing to protect personal data. The incident highlighted systemic vulnerabilities in **authentication mechanisms** and **data interconnectivity**, enabling a localized breach to spiral into a **mass genetic data exposure** with long-term privacy and fraud risks for affected individuals.
Source: https://www.theregister.com/2025/10/07/credential_stuffing_231_million/
TPRM report: https://www.rankiteo.com/company/23andme
"id": "23a2593125100725",
"linkid": "23andme",
"type": "Cyber Attack",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6.9 million (14,000 direct '
'accounts + 5.5 million DNA '
'Relatives + 1.4 million Family '
'Tree profiles)',
'industry': ['Biotechnology',
'Genetics',
'Consumer Health'],
'location': 'Sunnyvale, California, USA',
'name': '23andMe',
'type': 'Private Company'}],
'attack_vector': ['Automated Login Attempts',
'Stolen Credentials from Previous Breaches',
'Lack of Rate Limiting in Login API'],
'customer_advisories': ['Users advised to change passwords, enable MFA, and '
'monitor accounts for suspicious activity.'],
'data_breach': {'data_exfiltration': 'Yes (Data Sold on Dark Web)',
'number_of_records_exposed': '6,900,000',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Genetic Relationship '
'Data',
'Family Tree Details'],
'sensitivity_of_data': 'High (Includes Genetic and Personal '
'Information)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Genetic Data',
'Family Tree Information']},
'date_publicly_disclosed': '2023-10-06',
'description': 'A credential stuffing attack on 23andMe led to the compromise '
'of 6.9 million user accounts, including 14,000 directly '
'breached accounts and an additional 5.5 million DNA Relatives '
'profiles and 1.4 million Family Tree profiles exposed through '
'interconnected features. The attack exploited password reuse '
"and the lack of rate limiting in 23andMe's login API. The "
"threat actor, alias 'Golem,' used automated tools to test "
'stolen credentials from previous breaches. The incident '
"resulted in a £2.31 million regulatory fine from the UK's "
"Information Commissioner's Office in 2025.",
'impact': {'brand_reputation_impact': 'Severe (Regulatory Fine, Loss of '
'Trust)',
'customer_complaints': 'High (6.9 million users affected)',
'data_compromised': ['Personal Details',
'Genetic Information (DNA Relatives)',
'Family Tree Data'],
'identity_theft_risk': 'High (Personal and Genetic Data Exposed)',
'legal_liabilities': ['£2.31 million fine by UK ICO (2025)'],
'systems_affected': ['User Accounts',
'DNA Relatives Feature',
'Family Tree Feature']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (Genetic and Personal '
'Data)',
'entry_point': 'Login API (Exploiting Lack of Rate '
'Limiting)',
'high_value_targets': ['DNA Relatives Feature',
'Family Tree Feature']},
'investigation_status': 'Closed (Regulatory Action Taken)',
'lessons_learned': ['Password reuse enables large-scale credential stuffing '
'attacks.',
'Lack of rate limiting in APIs exacerbates automated '
'attack risks.',
'Interconnected features (e.g., DNA Relatives) can '
'amplify breach impact.',
'Weak authentication mechanisms leave systems vulnerable '
'to account takeovers.',
'Proactive monitoring for dark web credential leaks is '
'critical.'],
'motivation': ['Identity Theft',
'Fraud',
'Data Exfiltration for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': ['Implementation of MFA for '
'all accounts '
'(recommended).',
'Add rate limiting and '
'CAPTCHA to login '
'endpoints.',
'Enhanced monitoring for '
'credential stuffing '
'indicators (e.g., failed '
'login spikes).',
'User education campaigns '
'on password hygiene and '
'credential reuse risks.',
'Isolation of sensitive '
'features behind additional '
'authentication layers.'],
'root_causes': ['Password reuse by users across '
'multiple platforms.',
'Absence of rate limiting in the '
'login API, allowing unlimited '
'automated attempts.',
'Weak authentication mechanisms '
'(no MFA or advanced bot '
'detection).',
'Interconnected data-sharing '
'features (DNA Relatives/Family '
'Tree) amplifying exposure.']},
'recommendations': ['Implement Multi-Factor Authentication (MFA) for all user '
'accounts.',
'Enforce rate limiting and CAPTCHA on login APIs to '
'prevent automated attacks.',
'Encourage or mandate the use of password managers to '
'eliminate password reuse.',
'Monitor for unusual login activity (e.g., spikes in '
'failed attempts, geographic anomalies).',
'Conduct regular security audits, especially for APIs and '
'authentication systems.',
'Educate users on password hygiene and the risks of '
'credential reuse.',
'Deploy bot protection tools (e.g., behavioral analytics, '
'Web Application Firewalls).',
'Isolate sensitive features (e.g., genetic data sharing) '
'with additional authentication layers.',
'Proactively scan dark web forums for leaked credentials '
'tied to your organization.'],
'references': [{'source': 'Passwork Article on 23andMe Breach',
'url': 'https://passwork.pro'},
{'source': 'UK ICO Fine Announcement (2025)'}],
'regulatory_compliance': {'fines_imposed': ['£2.31 million by UK ICO (2025)'],
'regulations_violated': ['UK GDPR (General Data '
'Protection Regulation)'],
'regulatory_notifications': ['UK Information '
"Commissioner's Office "
'(ICO)']},
'threat_actor': {'alias': 'Golem', 'type': 'Individual/Hacker'},
'title': '23andMe Credential Stuffing Attack (2023)',
'type': ['Credential Stuffing', 'Account Takeover', 'Data Breach'],
'vulnerability_exploited': ['Password Reuse by Users',
'Absence of Rate Limiting',
'Weak Authentication Mechanisms']}