23andMe Data Breach: They Promised Privacy. They Kept Your DNA.

On October 6, 2023, genetic testing company 23andMe confirmed that hackers exposed the personal data of nearly 7 million users through a targeted credential-stuffing attack. The breach, now fueling a viral Senate hearing, returned to the spotlight in June 2025 when Senator Josh Hawley accused the company of misleading the public about its data deletion practices.

Although users closed their accounts, 23andMe admits it still retains genetic and personal data, sparking outrage, lawsuits, and renewed fears over the long-term risks of biometric exposure.

As one of the most well-known DNA testing platforms, 23andMe’s handling of user data is under scrutiny. Not just for the breach itself, but for what came after.

How Did the Breach Happen?

Credential Stuffing from Old Leaks

Hackers used login credentials leaked from unrelated websites to access 23andMe accounts. Once inside, attackers exploited the company’s DNA Relatives feature to scrape names, birth years, locations, ethnicities, and health traits—then offered the data for sale on the dark web.

Lack of Multifactor Authentication

Although MFA was available, it wasn’t mandatory; as a result, attackers could easily log in whenever they had a valid email and password combination.

DNA Profiles Were Linked and Mapped

By accessing one account, hackers could view genetic connections between users, creating complex maps of ancestry, family trees, and ethnic profiles, raising concerns of racial profiling and identity-based targeting.

What Type of Information Was Exposed?

• Full names and profile data
• Genetic ancestry breakdowns
• Health-related genetic traits
• Family relationships and DNA relatives
• User-generated content and photos (in some cases)

For threat actors, this was a biometric jackpot. Unlike passwords, DNA is permanent.

Why It Still Matters Today

Biometric Data Is Irreversible

Once exposed, your genetic information can’t be changed or recalled. At the same time, cybersecurity experts in 2025 continue to track data dumps containing 23andMe records across underground forums and identity marketplaces.

Targeted Discrimination and Surveillance

DNA data can reveal sensitive information tied to ethnicity, health risks, and familial connections. Analysts warn that scammers could use this data for custom phishing scams, genetic profiling, or conducting unauthorized medical research.

Congress Is Now Involved

At a 2025 Senate hearing, Sen. Josh Hawley accused 23andMe of profiting from users’ data while pretending they had control. He cited the company’s privacy policy, which states that it retains user data even after account deletion.

How to Protect Yourself From Long-Term Breach Risks

Enable Strong Account Protections

Use unique passwords for every account and turn on multi-factor authentication. Consider removing any linked family data if still active.

Monitor Genetic and Identity Usage

Use services like Google Alerts to track your name or unique identifiers online. Consider DNA report monitoring services now offered by identity protection companies.

Revoke Third-Party Access

Log in to your account (if still active) and review any sharing permissions. Opt out of research programs, public DNA features, and third-party data agreements.

Conclusion

The 23andMe breach isn’t just about exposed accounts. It’s about the permanence of biometric data. Even years later, third parties can still resell, repurpose, and abuse the leaked DNA profiles in ways users never imagined.

As privacy rights and biometric regulation lag behind, one thing is clear, cybersecurity in the genomics age isn’t optional.

Stay informed and empowered with Cyber News Live! Join us for insightful discussions, expert analysis, and valuable resources that promote cyber awareness and safety in education. Don’t miss out—tune in to Cyber News Live today!

By Sam Kirkpatrick, an Information Communication Technology student at the University of Kentucky and intern at Cyber News Live.