Credential Attackshigh

23andMe: 6.9 Million DNA Profiles Scraped via Credential Stuffing

Attackers used 14,000 compromised credentials from other breaches to log into 23andMe accounts, then exploited the DNA Relatives feature to scrape genetic data from 6.9 million additional profiles without any additional hacking.

23andMe·2023·2 min read

Attack Chain

  1. 1
    Credential stuffing
  2. 2
    Valid logins identified
  3. 3
    DNA relative data accessed via API
  4. 4
    6.9M profiles scraped
  5. 5
    Data listed for sale

Background

23andMe stores genetic testing data for over 14 million customers. Its "DNA Relatives" feature connects users with genetic matches, displaying shared ancestry data. This feature became the attack's force multiplier.

The Attack

Attackers ran credential stuffing attacks — trying username/password pairs from previously breached databases — and successfully accessed approximately 14,000 23andMe accounts whose users had reused passwords from other compromised services. Each compromised account had opted into DNA Relatives. By scraping all the relatives visible to each compromised account, attackers harvested profile data for 6.9 million users who had never had their passwords compromised. The attacker published a specific dataset of profiles targeting Ashkenazi Jewish and Chinese ancestry groups on dark web forums.

Response

23andMe forced a password reset for all users and mandated two-factor authentication. The company faced class actions and regulatory investigations in multiple countries. CEO Anne Wojcicki controversially suggested victims were partially responsible for reusing passwords. 23andMe filed for bankruptcy in 2025.

Outcome

The breach demonstrated the unique dangers of genetic data: unlike passwords or credit cards, DNA cannot be changed. The selective targeting of ethnic groups raised the spectre of DNA data being used for discriminatory or surveillance purposes.

Key Takeaways

  1. Genetic and biometric data is irreplaceable — it requires the highest tier of protection and access control
  2. Password reuse across services creates credential stuffing risk — enforce unique passwords and 2FA
  3. Social graph features (DNA Relatives, Friend Lists) multiply the blast radius of any account compromise
  4. Mandatory MFA should be default, not optional, for accounts storing sensitive personal data

How to Prevent This

All guides
intermediate

Implement credential stuffing detection on all login endpoints

Credential stuffing — using leaked username-password pairs from other breaches to log into your service — is automated, cheap, and devastatingly effective when users reuse passwords. 23andMe's 2023 breach, which exposed genetic ancestry data, was entirely credential stuffing: no vulnerability was exploited. Defences include: rate limiting login attempts per IP and per account, CAPTCHA after N failures, monitoring for login attempts with credentials appearing in breach databases (Have I Been Pwned Enterprise API), and blocking known Tor and VPN exit node IPs for login requests.

See: 23andMe Credential StuffingAuthentication
credential stuffingDNA datapassword reusesocial graph scrapingbiometric data

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks