23andMe Data Breach
Find one concrete example of “bad behavior” in the online space. Who was involved, and what was the outcome? Was there financial loss or damage to someone’s reputation? Were the criminals held accountable? What practical lessons can we learn as a result of this example?
What happened?
In late 2023, there was a data breach that affected approximately half of 23andMe’s customer base, compromising the data of 6.9 million out of the 14 million customers they had at the time. The attacker employed a brute force attack known as stuffing. This method makes use of other data breaches that have logins. These logins are then used to brute force their way into other services than the ones that were leaked.
This method was made possible due to the lack of 2FA and other such security measures that the company did not have in place. Added to this fire were customers who reused the same password over and over on important websites and services. Thus allowing the attacker to reuse their password and log in on 23andMe.
The attacker who did this is unknown; all we know is that they had tried selling the data on a dark web cybercriminal forum. They went by the alias of “golem” on this forum, marketing the information as “Ashkenazi Jewish lists.” They also claimed that the information was safer in their hands, rather than in the hands of 23andMe.
What was the outcome?
Millions of customers had their data leaked, which led to class action lawsuit upon lawsuit. The United States, the United Kingdom, and Canada, along with many others, have investigated this situation. These governments have released reports that made the public trust in the company disappear, along with the money that that trust provided.
With the mounting pressure of lawsuits and loss of trust, as of 2025, the company has now filed for bankruptcy. They have sold the company to a non-profit that’s run by one of 23andMe’s co-founders. And using the funds from the sale, they settled 50 million dollars of class-action lawsuits.
What can we learn from this?
The personal information that leaked during this attack was only possible because of the reuse of passwords. Along with the lack of 2FA and other security measures that 23andMe, along with the customers, should have used. These measures would have decreased or entirely prevented the information from being leaked.
With the use of 2FA, the attacker wouldn’t have been able to reuse passwords from other data breaches to log in to 23andMe. And if the customers had changed their passwords, that also would have blocked the hacker from accessing the accounts. Strong passwords would also have helped, seeing as the hacker used brute force along with leaked logins.
Sources:
(Mar 2025)
risk-strategies.com/blog/understanding-the-23andme-data-breach-and-ensuring-cybersecurity
(Jun 2025)
npr.org/2025/06/30/nx-s1-5451398/23andme-sale-approved-dna-data
0 Comments