In 2023, personal genetics company 23andMe was hit by a major data breach that exposed the private information of nearly 7 million users. What made this breach especially serious was that the stolen data included things like ancestry, family history, and even DNA details.
This kind of sensitive information brings up big questions about privacy, data protection, and what companies are required to do to keep people’s information safe — issues that often involve a data breach lawyer.
What happened in the 23andMe data breach?
The breach came to light in October 2023, when samples of stolen data appeared on BreachForums, a black-hat hacking site. A hacker known as “Golem” claimed responsibility and advertised the data in targeted ethnic lists, one focusing on Ashkenazi Jewish users, and another on people of Chinese descent.
23andMe confirmed that the breach affected approximately 6.9 million users, or about half of its total customer base at the time. The attack didn’t compromise the company’s IT systems directly. Instead, the hackers used a technique called credential stuffing: using previously leaked usernames and passwords to log into individual 23andMe accounts. Because many users had opted in to the DNA Relatives feature, their information became accessible and easily scraped once accounts were accessed.
The information exposed in the 23andMe data breach
The exposed data varied by user but could include:
- Full name and profile photo
- Birth year and location
- Ethnicity estimates
- Haplogroup data (mitochondrial and Y-chromosome)
- Grandparents’ birthplaces
- External family tree links
- Personal notes from the user’s profile
This type of personal information is more detailed and potentially sensitive than typical login credentials. In the wrong hands, it could be used not just for identity theft but for profiling or discrimination.
Legal action and regulatory response
In response to the breach, multiple class action lawsuits were filed. One complaint in California accused 23andMe of negligence, breach of implied contract, invasion of privacy, and unjust enrichment. Another suit filed in January 2024 focused on the sale of “curated ethnic lists” on the dark web, alleging that the company failed to inform affected users, especially those of Chinese or Ashkenazi Jewish descent, that their data was being used in this way.
In September 2024, 23andMe agreed to settle the lawsuit for $30 million.
The breach also drew attention from government authorities. The attorney general of Connecticut launched an inquiry and alleged that the breach led to the sale of at least one million profiles on the black market. A joint investigation by Canada’s Privacy Commissioner and the UK’s Information Commissioner’s Office concluded that 23andMe had failed to implement adequate safeguards and ignored warning signs. As a result, the company was fined £2.31 million (GBP) by the UK’s ICO.
23andMe’s response and evolving policies
Following the breach, 23andMe temporarily disabled access to several features of its DNA Relatives tool, including the chromosome browser and shared matches. The ability to download raw DNA data was also suspended.
In December 2023, the company updated its terms of service to include a class-action waiver, which requires customers to opt out within 30 days if they wish to retain their right to participate in lawsuits. This move was widely criticized because it appeared to place blame on customers for not changing their passwords.
In the months following the breach, 23andMe, along with other major DNA testing companies like Ancestry.com and MyHeritage, began requiring two-factor authentication as a new security standard.
Why genetic data breaches raise unique legal concerns
Unlike most forms of personal data, genetic information is permanent. You can change a password, but not your DNA. That makes it especially important to handle this kind of data carefully. How it’s collected, stored, or shared can affect not just one person, but their entire family or community.
This breach shows how important it is for companies to take responsibility when handling genetic or biometric data. As more people use at-home DNA testing services, the legal system is being pushed to keep up. Big questions, like who has access to your data, how it’s shared, and whether you gave real consent, are becoming harder to ignore.
Concerned about data breaches? Contact Mason LLP.
If you believe your personal or genetic information has been accessed, stored, or shared without your consent, you may have legal options. Mason LLP has decades of experience handling complex data privacy cases and has recovered more than $1 billion for our clients. We offer free consultations, so contact us online or call us at (202) 429-2290 to speak with our team and get the support you deserve.