23andMe data breach: What happened and how to protect your data

In late 2023, the consumer genetic testing company 23andMe confirmed that malicious actors had accessed thousands of customer accounts using stolen login credentials. More than 18,000 accounts were directly compromised, but the platform’s family connection and profile-sharing features allowed attackers to access data linked to millions of users.

The event sparked concerns about how genetic data is stored, protected, and shared online. Unlike a typical password leak, a genetic data breach can affect more than just one account holder; DNA data can reveal information about family relationships, ancestry connections, and inherited traits.

In this guide, we explain the 23andMe data breach: how the attack worked, who was affected, and what the risks are. We also cover how to delete your 23andMe data and protect your accounts and personal information moving forward.

Note: This article is for informational purposes only and does not constitute legal, medical, or genetic counseling advice. Genetic privacy, data breach rights, and settlement eligibility can vary depending on individual circumstances and jurisdiction. Readers should refer to official sources and seek professional advice where appropriate.

What happened in the 23andMe data breach?

The 23andMe data breach wasn’t a direct hack of the company's systems. Attackers gained access to customer accounts using stolen login credentials from unrelated breaches, a method known as credential stuffing.

At the time, multi-factor authentication (MFA) was optional on 23andMe, and fewer than 22% of its customers had opted into any form of enhanced login security, leaving the vast majority of accounts protected only by a password.

Once attackers accessed some accounts, they were able to collect additional information through 23andMe’s DNA Relatives feature, which allows users to connect with genetic matches and family members. As a result, the breach reached far more accounts than just those initially compromised.

Timeline of the 23andMe breach

The attack began on 29 April 2023 and continued for approximately five months before it was fully identified. Here’s how it unfolded:

• April 2023: The credential stuffing attack began, with the first intense period of activity in May 2023.
• July 2023: 23andMe noticed around 400 attempted profile transfers but treated it as an isolated incident rather than recognizing it as part of a wider attack.
• August 2023: A message sent through 23andMe's customer portal, and later repeated on Reddit, claimed that data from over 10 million users had been stolen. 23andMe dismissed this as a hoax.
• September 2023: A second intense wave of credential stuffing activity occurred.
• October 2023: The stolen data was advertised for sale on Reddit. Only then did the company launch a full investigation and confirm that a breach had taken place.
• December 2023: 23andMe disclosed in a filing with the U.S. Securities and Exchange Commission (SEC) that attackers had accessed 0.1% of user accounts; the company later said the incident involved approximately 5.5 million DNA Relatives profiles and 1.4 million Family Tree profiles.

The attack lasted five months, in part because 23andMe's systems didn’t effectively flag the sustained, large-scale automated login attempts as suspicious activity.

After the breach became public, 23andMe introduced additional security measures, including forced password resets and requiring multi-factor authentication (MFA) for all users.

What data was exposed?

For accounts directly accessed through credential stuffing, attackers were potentially able to download or access:

• Display names, profile photos, birth years, and self-reported location, such as city or postal code/ZIP code.
• Raw genotype data.
• Health predisposition reports.
• Carrier status reports.
• Wellness reports.
• Self-reported health condition information.

For users whose data was scraped through the DNA Relatives feature and those whose Family Tree profile data was accessed, the exposed information could include:

• Ancestry composition and ethnicity estimates.
• Predicted relationships with genetic matches, including the percentage of DNA shared.
• Names, birth years, and profile photos.
• Self-reported locations (city or postcode).

The stolen data was later shared on cybercrime forums, with some datasets organized by ethnicity.

How the credential stuffing attack worked

Credential stuffing is a common password attack that leverages large collections of leaked or sold username and password combinations from previous data breaches on other platforms.

The attack relies on the fact that people commonly reuse passwords across multiple accounts. For example, if someone reused the same password for a shopping site and their 23andMe account, a breach of the shopping site could indirectly expose their 23andMe account as well. Attackers automate the testing of these credentials against a target site's login page at scale, sometimes making millions of attempts within a short period.

Who was affected by the 23andMe data breach?

The breach affected users in three groups: the roughly 18,000 users whose accounts were directly accessed through credential stuffing, the 5.5 million users whose DNA Relatives profile data was scraped via those compromised accounts, and the 1.4 million users whose Family Tree profile information was accessed.

While the majority of those users were in the U.S., a joint investigation by the Canadian Office of the Privacy Commissioner and the UK's Information Commissioner's Office (ICO) confirmed that almost 320,000 people in Canada and 155,600 people in the U.K. had their data exposed.

23andMe notified affected users after confirming which accounts had been accessed during the breach. If you received a direct notice from 23andMe saying your personal information was compromised, your information was included in the incident.

Should you delete your 23andMe data?

If you’re thinking about deleting your 23andMe data, it’s worth understanding what this choice involves and what the risks of keeping your account active are.

Privacy risks of keeping DNA data online

The data held in a 23andMe account is unlike most other types of personal information. A breached password can be reset. A compromised credit card can be canceled. Genetic data, on the other hand, can't be changed, and once it's exposed, this can’t be reversed.

Even when companies use encryption and security controls, large quantities of biometric and genetic information create an attractive target for cybercriminals. A future breach, insider misuse, unauthorized data sharing, or policy change could expose information that users expected to remain private.

Some users are also concerned about how genetic information could be used in the future, including:

• Research partnerships
• Targeted advertising or profiling
• Law enforcement requests
• Insurance or employment discrimination

Companies like 23andMe typically require user consent for many forms of data sharing and research participation. However, privacy policies and ownership structures can change over time, which is why some users prefer to reduce their long-term exposure by deleting stored genetic data altogether.

Potential identity theft and fraud risks

DNA data alone isn’t enough for someone to open financial accounts or directly steal an identity. However, exposed genetic and profile information can contribute to broader privacy and fraud risks when combined with data from other breaches.

For example, attackers may combine stolen names, birth years, family relationships, email addresses, and location details with information from unrelated data leaks to build detailed identity profiles. These profiles could then be used in scams.

Additionally, genetic information could become more valuable to attackers over time as biotechnology, AI, and data analytics evolve.

What happens if you keep your account active?

If you keep your 23andMe account active, you’ll continue to have access to your reports, DNA matches, ancestry tools, and other account features. You may also continue receiving updated reports or new matching information over time.

However, keeping your account active also means your genetic and personal data stays on the platform, where it continues to be subject to the company’s security practices and any future changes in ownership or policy. It also means that any research consent you've given remains in place, unless you actively revoke it.

How to delete your 23andMe data

If you decide you no longer want your genetic information stored by 23andMe, you can request account deletion through the company’s account settings.

Closing your account removes your identified personal information and genetic data from the platform. However, as noted in 23andMe's privacy policy, the company's contracted genotyping laboratory is legally required to retain certain information, including your genetic information, date of birth, and sex, to comply with federal regulations under the Clinical Laboratory Improvement Amendments (CLIA) of 1988 and California laboratory regulations.

Additionally, if you previously consented to 23andMe's research program, any data already used in completed or published studies can’t be withdrawn, though it won't be used in future research once you've revoked consent.

How to download your genetic reports

Before deleting your account, you may want to save copies of your genetic reports, ancestry information, or raw DNA data. Once your account is deleted, the action is permanent, and access can’t be restored.

To download your raw genetic data:

1. Go to you.23andme.com/tools/data/.
2. Click on your profile name in the top-right corner and select Resources from the dropdown menu.
3. Scroll to the 23andMe Data section at the bottom of the page and click View.
4. Select Browse Raw Genotyping Data.
5. Click Download and follow the prompts to submit your request.
6. 23andMe will send a confirmation email with a download link. Processing usually takes about a week but can take up to a month.
7. Once you receive the email, follow the link and save the file to a secure location on your device.

Your raw genetic data will be downloaded as a .zip file containing a text file. Store it on a local device rather than a cloud service if you want to keep it off external servers. Additional account information and reports may be accessed separately within your account settings.

You can also print or save individual health and ancestry reports directly from your account before proceeding to deletion.

Step-by-step account deletion process

Once you've saved anything you want to keep, follow these steps to permanently delete your account and data:

1. Log into your account at 23andme.com.
2. Click your profile name in the top right corner and select Settings.
3. Scroll to the 23andMe Data section at the bottom of the page and click View.
4. Scroll down to the Delete Data section.
5. Click Permanently Delete Data.

You'll receive an email from 23andMe. Open it and follow the confirmation link. The deletion request won’t be processed until you confirm via email.

Once confirmed, the process begins immediately and can’t be canceled or reversed. You'll lose access to your account as soon as the request is confirmed. Deleting your account will also cause any stored samples to be discarded.

How to protect yourself after the 23andMe breach

Even if your information was exposed during the breach, there are steps you can take to reduce future risks. The most important actions focus on securing your accounts, monitoring for suspicious activity, and staying alert to scams that may use exposed personal information.

Because data from multiple breaches is often combined and reused over time, it’s a good idea to strengthen your overall online security habits rather than focusing on a single account.

Change passwords and enable MFA

If you used the same password for 23andMe as for any other account, such as email, banking, or social media, change those passwords. Each account should have a long, unique password not based on personal information such as a name, birth year, or location (all of which were exposed in this breach).

A password manager like ExpressKeys is a practical way to handle this at scale. It generates strong passwords for each account and stores them securely, so there's no need to remember or reuse them.

Alongside updating passwords, enable MFA on any account where it's available, particularly email, financial services, and health-related platforms. With it enabled, even if a password is compromised, an attacker still can't access the account without the additional factor.

Monitor credit and identity activity

While the 23andMe breach didn't directly expose financial data, the combination of names, birth years, locations, and health information that was exposed could be enough to support identity fraud. Monitoring your credit and financial accounts gives you early visibility if that information is being misused.

There are two main tools available for this:

• Fraud alert: Placing a fraud alert with any one of the three major U.S. credit bureaus instructs lenders to take extra steps to verify your identity before approving any new credit applications in your name.
• Credit freeze: A credit freeze is a more drastic measure that restricts access to your credit report, preventing anyone (yourself included) from opening a new account in your name while it's in place.

There are other tools you can use as well. ExpressVPN’s Identity Defender, for example, is available to ExpressVPN Advanced and Pro users in the U.S., offering a range of identity monitoring tools, including ID Alerts, which continuously monitor the dark web for your personal info, and Credit Scanner, which helps you easily keep track of your credit score and activity.

Watch for phishing and scam attempts

Every data breach creates potential for targeted phishing. And since the stolen data in the 23andMe breach included names, ancestry composition, ethnicity estimates, health predisposition information, and family connections, a malicious actor may have more to work with than they would from a typical breach.

A few practical habits reduce the risk:

• Treat any unsolicited message claiming to be from 23andMe, a health service, or a genetics platform with caution, regardless of how personalized it appears. Verify by visiting the official website.
• Don't open attachments or follow links in emails you weren't expecting, even if the sender's name or email address looks familiar. Attackers can spoof display names.
• Be cautious of messages that create urgency. Requests to “verify your account,” “confirm your identity,” or “take immediate action” are common pressure tactics used in phishing.
• If a message references specific details about your ancestry, health, or family that you didn't share with the sender, treat it as suspicious and don't engage.

23andMe lawsuits, settlement, and bankruptcy concerns

The 2023 breach led to class-action lawsuits, regulatory scrutiny, and wider concerns about how genetic data should be protected, transferred, and used. Many customers alleged that 23andMe failed to adequately protect sensitive personal and genetic information, especially given the long-term privacy implications of DNA data. The incident also fueled broader discussion about genetic privacy laws, user consent, and whether genetic information should receive stronger legal protections than other types of personal data.

More than 40 class-action lawsuits were filed against 23andMe after the breach, with plaintiffs alleging claims including negligence, breach of implied contract, and invasion of privacy. 23andMe initially agreed to a $30 million settlement in 2024. After the company filed for Chapter 11 bankruptcy protection, the settlement was revised into a fund of between $30 million and $50 million. The settlement received final court approval on January 30, 2026.

Eligibility for the U.S. settlement was limited to people who were 23andMe customers at any time between May 1, 2023, and October 1, 2023; resided in the U.S. during that period; and received notice from 23andMe that their personal information had been compromised in the breach.

The U.S. claim deadline of February 17, 2026, has now passed. For those who filed in time, compensation was structured in tiers:

• Up to $10,000 for users with documented, extraordinary out-of-pocket losses directly tied to the breach, such as identity theft remediation costs or related expenses.
• Up to $165 for customers who received notification that their health-related genetic information was accessed.
• An additional $100 in statutory payments for eligible residents of Alaska, California, Illinois, or Oregon.
• Free identity theft protection, genetic anomaly detection, and dark web monitoring services for five years for all eligible class members.

A Canadian settlement also covers eligible users in Canada, with a claims deadline of June 25, 2026, and a total value of C$4.49 million (approximately US$3.25 million).

The breach also became part of a larger debate about what happens to genetic data when a company restructures or changes ownership. In 2025, 23andMe filed for Chapter 11 bankruptcy protection and entered a court-supervised sale process. TTAM Research Institute, a nonprofit public benefit corporation founded and led by Anne Wojcicki, 23andMe’s co-founder and former CEO, acquired the company on July 14, 2025.

The sale kept 23andMe operating under new ownership, but it also intensified concerns about how customer genetic data and biological samples are handled during bankruptcy and asset transfers. 23andMe said TTAM would continue offering customers choice and transparency around their data, including the option to change research participation preferences.

Regulatory scrutiny continued after the class-action settlement. In May 2026, California’s attorney general sued Chrome Holding Co., formerly 23andMe, alleging that the company failed to adequately protect customers’ sensitive genetic and personal information during the 2023 breach. Unlike the customer settlement, that case is a government enforcement action brought under state law.

FAQ: Common questions about the 23andMe data breach