23andMe suffered a significant data breach in 2023 due to inadequate security measures, leading to the compromise of nearly 7 million users' data. The breach was caused by credential-stuffing techniques, affecting around 14,000 accounts and exposing sensitive personal information, family histories, and health conditions of thousands of people in the UK. The company was fined £2.31 million by the UK's data watchdog for security failings, including lack of mandatory MFA and unsecure password requirements. The breach resulted in the exposure of names, birth years, location, profile images, race, ethnicity, family trees, and health reports of affected users.
Source: https://www.theregister.com/2025/06/17/23andme_ico_fine/
TPRM report: https://scoringcyber.rankiteo.com/company/23andme
"id": "23a603061725",
"linkid": "23andme",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6.9 million',
'industry': 'Healthcare',
'location': 'Global',
'name': '23andMe',
'type': 'Genetics Company'}],
'attack_vector': 'Credential Stuffing',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '6.9 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Names, birth years, '
'self-reported city or '
'postcode-level location, profile '
'images, race, ethnicity, family '
'trees, and health reports'},
'date_detected': 'April 2023',
'date_publicly_disclosed': 'October 2023',
'date_resolved': 'End of 2024',
'description': '23andMe experienced a data breach in 2023 where attackers '
'used credential-stuffing techniques to access and compromise '
"nearly 7 million users' data.",
'impact': {'data_compromised': 'Personal data of around 6.9 million people',
'financial_loss': 'Fined £2.31 million ($3.13 million)',
'legal_liabilities': 'Fined £2.31 million ($3.13 million)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'Credential Stuffing',
'reconnaissance_period': 'April 2023 to September '
'2023'},
'investigation_status': 'Resolved',
'motivation': 'Data Theft',
'post_incident_analysis': {'corrective_actions': 'Improved account security '
'by the end of 2024',
'root_causes': 'Unsatisfactory authentication '
'measures, lack of mandatory MFA, '
'unsecure password requirements, no '
'measures to prevent accessing and '
'downloading raw genetic data, '
'inadequate monitoring, detecting, '
'or responding to security threats'},
'references': [{'source': 'The Register'}],
'regulatory_compliance': {'fines_imposed': '£2.31 million ($3.13 million)',
'legal_actions': 'Fined £2.31 million ($3.13 '
'million)',
'regulations_violated': 'UK GDPR'},
'response': {'remediation_measures': 'Improved account security by the end of '
'2024'},
'title': '23andMe Data Breach 2023',
'type': 'Data Breach',
'vulnerability_exploited': 'Unsatisfactory authentication measures, lack of '
'mandatory MFA, unsecure password requirements, no '
'measures to prevent accessing and downloading raw '
'genetic data, inadequate monitoring, detecting, '
'or responding to security threats'}