23andMe: Why Genetic Data Breaches Never Heal

#The breach that can't be fixed

Here's the part consultants don't put in the glossy PDF.

In October 2023, 23andMe disclosed that attackers had accessed user accounts and stolen personal and genetic information. The initial disclosure framed it as a credential-stuffing attack affecting a relatively small number of accounts. Over the following weeks, the scope expanded significantly:

• ~14,000 accounts directly compromised via credential stuffing
• ~6.9 million additional users' data exposed via the DNA Relatives feature. Users whose accounts were never directly compromised but whose data was accessible through compromised accounts' relative connections
• Personal information leaked including names, ancestry breakdowns, family trees
• Genetic data excerpts leaked including health predispositions, ethnic ancestry, and genetic markers
• Specific ethnic targeting. Attackers packaged and sold data particularly about Ashkenazi Jewish users and Chinese users on cybercrime forums

The breach settlement announced in September 2024 was $30 million, plus additional provisions for credit monitoring. Class action litigation continues.

But here's the fact that makes this breach qualitatively different from any other: the exposed data can't be changed.

If your password gets breached, you change your password. If your credit card number leaks, the bank issues a new number. If your Social Security Number is exposed. Well, that's harder, but with enough effort and inconvenience it's possible to rotate.

If your genetic sequence is exposed, there's nothing to rotate. Your DNA is the same today as it was the day you were born. It will be the same the day you die. And. Crucially. Your DNA data reveals information about your parents, your siblings, your children. And every cousin you've ever had, whether those people consented to 23andMe or not.

This post is about why genetic data breaches are uniquely permanent, what the 23andMe data is being used for. And what DNA test users should realistically do now.

#What the leaked data contains

The stolen 23andMe data includes several tiers of information.

#Tier 1: personal identifiers

Standard breach content:

• Name
• Email address
• Phone number (where provided)
• Home address / zip code
• Account creation date
• Profile photo

#Tier 2: ancestry and family data

• Ethnic ancestry breakdown with percentages (e.g., "48% Ashkenazi Jewish, 32% British & Irish, 20% Italian")
• Haplogroup information (maternal and paternal lineage markers)
• Ancestry composition down to regional specificity
• Family trees users had built on the platform
• DNA Relatives connections. Other users identified as genetic relatives with approximate relationship strength

#Tier 3: genetic and health data

What 23andMe provides users, which was partially exposed in the breach:

• Health predisposition reports for conditions like BRCA-related breast cancer risk, Parkinson's disease risk, Alzheimer's risk, celiac disease, etc.
• Genetic carrier status for conditions like sickle cell disease, cystic fibrosis, Tay-Sachs
• Wellness reports including traits like lactose intolerance, alcohol metabolism, genetic weight factors
• Raw genetic data. SNP (single nucleotide polymorphism) information for approximately 600,000+ genetic positions

Not all users had all tiers exposed. Depth of exposure varied by what the user had purchased and what the attacker queried.

#Tier 4: relationship-chain data

Where the cascade happened. 23andMe's DNA Relatives feature automatically identifies other 23andMe users who share DNA with you. Attackers who compromised one account could query its DNA Relatives list, seeing:

• Other users' names
• Relationship strength (estimated cousin degree)
• Shared ancestry percentages
• Location (where provided)

So a user who never had their account directly compromised. But whose genetic relative's account was compromised. Had significant personal information exposed through the relative.

#The ethnic targeting

The most chilling detail of the 23andMe breach: the attackers didn't dump all the data. They curated and sold specific subsets on dark web forums.

Ashkenazi Jewish users: specifically packaged and sold. Roughly 1 million entries offered in dark web posts. Pricing was structured to emphasize the targetability of this demographic. The implied use cases in forum conversations included antisemitic targeting for harassment, doxxing, and potential violence.

Chinese users: similar packaged sales, with apparent interest from groups targeting Chinese diaspora populations.

General bulk data: sold for less, to buyers who wanted volume over demographic specificity.

The specificity of the ethnic targeting made it clear that the attackers understood what they had. This wasn't opportunistic. The data was being sold in a way designed to maximize harm potential to specific populations.

#Why genetic data is uniquely permanent

Most breached data loses value over time. A 2015 password dump is worthless now. A 2017 credit card list is expired numbers. Even a Social Security Number, while long-lived, is usable only as long as the person lives and while the credit system works the way it does today.

Genetic data doesn't decay. Consider:

1. The data itself is immutable. Your DNA sequence is fixed. You can't change it, rotate it, or issue a new version.

2. Future uses are unknown. Genetic research advances constantly. Data that today reveals ancestry and a handful of health predispositions will, in 10 years, reveal far more. Personality traits, detailed disease risks, behavior patterns. The 2023 breach's data will continue gaining analytical value over the next several decades.

3. It reveals information about people who never consented. Your siblings share about 50% of your DNA on average. Your parents share 50%. Your cousins share ~12%. Genetic data leaked from your account reveals substantive information about your family members even if they've never used 23andMe.

4. Future generations inherit the exposure. Your children share 50% of your DNA. They'll inherit 50% of the exposure. Their children, 25%. A 23andMe breach in 2023 is still relevant to your great-great-grandchildren's genetic privacy.

5. Law enforcement, insurance, employers. And governments will have decades to use this data. Genetic Information Nondiscrimination Act (GINA) provides some protections in US employment and health insurance, but doesn't cover life insurance, disability insurance, long-term care insurance, or many other contexts. Regulations in other countries vary widely.

#What the leaked data enables

Specific scenarios, ranging from ongoing to future:

#Ongoing (2024-2026)

• Targeted harassment. Users identified as belonging to specific ethnic groups have been harassed via the leaked contact information.
• Family tree reconstruction. Attackers who want to map someone's family can now do so using leaked genetic relationship data.
• Blackmail. Individuals whose leaked data includes sensitive health information (HIV genetic markers, hereditary cancer risk, paternity questions) have been targeted for blackmail. Documented cases exist.
• Insurance fraud / investigation. Some insurance companies have allegedly used leaked data to investigate fraud claims, though this is legally uncertain.
• Identity fraud augmentation. Detailed personal data combined with ancestry information enables more convincing social engineering.

#Medium-term (5-15 years)

• Predictive policing or profiling. As facial recognition improves, genetic data could enable face generation or prediction. Research is early but plausible.
• Discrimination in new contexts. As genetic insights expand, markers could be used for hiring decisions, dating app algorithms, admission decisions.
• Paternity / family disputes. Legal cases involving leaked genetic data are already appearing.
• Forensic genealogy. Law enforcement and private firms increasingly use genetic data for family-tree-based suspect identification. Even with 23andMe specifically not allowing this, leaked data has no such restriction.

#Long-term (15+ years)

• Unknown applications. The primary concern is precisely that we don't know what genetic data will enable in 20 years. Research on gene-behavior correlations, gene-personality correlations, gene-aptitude correlations continues to advance. Whatever those correlations reveal, the 23andMe breach data is already in the hands of parties with indefinite retention.

#What 23andMe did and didn't do well

#Did well (eventually)

• Eventually disclosed the full scope after initial under-reporting
• Offered credit monitoring to affected users
• Implemented mandatory password resets
• Added two-factor authentication requirement
• Settled class action litigation

#Did poorly

• Initial disclosure was minimized. The "small number of accounts" framing understated by orders of magnitude.
• Password-only authentication for years. Credential stuffing succeeded because 23andMe didn't require MFA until after the breach.
• DNA Relatives feature designed without breach-cascade consideration. The feature that enabled the cascade from 14K compromised accounts to 6.9M affected users was a preventable design choice.
• Data retention policy. 23andMe retains user data indefinitely by default. Even account deletion may not remove all data from all systems.
• Corporate health. 23andMe stock dropped substantially post-breach, leading to concerns about the company's long-term viability and what would happen to user data in a bankruptcy or acquisition scenario.

#What's happened to 23andMe since

• September 2024: $30M class action settlement announced
• Late 2024: 23andMe board resignation crisis, leadership changes, financial distress
• 2025: continued financial challenges, exploration of strategic alternatives
• Early 2026: ongoing questions about the company's long-term viability

The financial distress compounds the privacy concern. If 23andMe goes into bankruptcy or is acquired, what happens to the genetic data of its 14+ million users? The asset value of that data is substantial. The privacy implications depend on who ends up owning it.

#What you should do if you've used 23andMe (or any consumer DNA service)

#Immediate

1. Check if your account was affected.

23andMe has a page to check account status. If you haven't checked, do so.

2. Enable MFA on 23andMe.

Settings → Sign In Settings → Two-Step Verification. Use authenticator app, not SMS. If hardware-key support is available, use that.

3. Review your account settings.

• DNA Relatives opt-in: disable if not using actively
• Research consent: review what you've agreed to
• Reports: review what you've purchased and what's accessible
• Account recovery info: ensure it's current

4. Consider account deletion.

23andMe allows account deletion. Your raw genetic data should be deleted per their policy. But research data you've consented to may be retained per research agreements. Review the deletion policy carefully.

Important caveat: even after deletion, data that was already leaked is out there. Deletion prevents new exposure but doesn't recall what's already gone.

5. Assume family members are exposed.

If you've done 23andMe, your first-degree relatives (parents, siblings, children) have substantive genetic data exposure through your account, regardless of whether they ever used the service.

#Long-term

1. Be aware of discrimination risk.

Life insurance, disability insurance, long-term care insurance. These aren't covered by GINA. Know that your application can be affected by genetic information that's in the public / breach ecosystem.

2. Monitor for fraud targeting.

Enhanced OSINT-based social engineering using family-tree information is increasing. Be alert for phishing that references family relationships.

3. Consider legal recourse.

If you were affected and believe you experienced specific harm, consult attorneys handling the class action. Statutes of limitation on specific damages may apply.

4. Don't take additional tests.

If you're now aware of the permanence issue, seriously reconsider Ancestry, MyHeritage, or other consumer DNA services. Each additional test adds to the aggregate genetic data footprint. The risk is the same. These companies have similar security postures and similar data permanence.

#For people considering their first consumer DNA test

If you've been thinking about doing a 23andMe or Ancestry test and you're reading this post, consider:

• The data is permanent. Unlike other services, you can't meaningfully rotate or withdraw if something goes wrong.
• The industry has been breached before and will be again. 23andMe wasn't the first consumer DNA breach. MyHeritage had a breach in 2018. Veritas Genetics had a breach in 2019. Similar breaches in adjacent industries are routine.
• You're making the decision for your family. Your parents, siblings, and children inherit the exposure. They didn't consent.
• The commercial benefit is limited. Ancestry curiosity, a couple of health reports. These are interesting but not usually life-changing. The risk asymmetry is substantial.
• If you do proceed: use a service with strong security (research their practices), enable MFA, opt out of research sharing, opt out of relative-matching features, delete the data when you're done.

#The broader genetic data market

Beyond 23andMe and Ancestry, the consumer genetic data market includes:

• Ancestry.com (largest by volume, ~25M users)
• MyHeritage (~6M users)
• FamilyTreeDNA (~2M users, notable for cooperating with law enforcement)
• Veritas Genetics (more medical-focused, smaller user base)
• Nebula Genomics (whole-genome sequencing, more advanced)
• Various DTC genetic test brands with varying depth

Each has its own security posture and data practices. None of them make genetic data less permanent. If you're using any of them, similar breach-permanence concerns apply.

Law enforcement use via genetic genealogy. Notable case: the Golden State Killer was identified in 2018 via genetic genealogy using public database matches. Law enforcement now routinely uses services like GEDmatch and FamilyTreeDNA (the two major services that allow law enforcement access) to identify suspects. If you've uploaded your raw DNA data to any genealogy site that permits law enforcement queries, your genetic data is actively being used in criminal investigations. Including investigations of your biological relatives.

#The honest takeaway

Consumer genetic testing has legitimate uses. Some people have discovered cancer predispositions that informed life-saving medical decisions. Others have found biological relatives after decades of searching. The benefit is real for some users.

The risk is also real, and uniquely permanent. Unlike any other breach category, genetic data can't be rotated, recalled, or un-exposed. Once it's out, it's out forever. For you, for your relatives, for your descendants.

The 2023 23andMe breach affected 7 million people. The data is in adversary hands indefinitely. Treatment of that data over the next 50 years will depend on:

• Whether 23andMe and similar companies survive
• Whether genetic discrimination laws strengthen or weaken
• Whether new uses of genetic data emerge
• Whether additional breaches compound the exposed pool

Given the uncertainty, the defensive move is data minimization: don't add to the exposed pool if you haven't already. And don't compound existing exposure.

#What Valtik does in this space

Valtik's consumer privacy consultations include genetic data exposure review. For individuals who have used consumer DNA services and want to:

• Minimize ongoing exposure
• Delete data from services they no longer use
• Understand their exposure given their family structure
• Prepare for potential discrimination scenarios
• Navigate legal recourse options

We offer focused one-hour consultations with documented recommendations. Reach out via https://valtikstudios.com.

#Sources

1. 23andMe Data Breach Official Notice
2. 23andMe Breach Class Action Settlement. $30M
3. Genetic Information Nondiscrimination Act (GINA). EEOC
4. 23andMe Ashkenazi Jewish Data Sale. Wired
5. 23andMe Data Leaked on Dark Web. TechCrunch
6. Golden State Killer Genetic Genealogy Case. New York Times
7. GEDmatch Law Enforcement Access Policy
8. The Ethics of Consumer Genetic Testing. Nature
9. 23andMe 10-K Filings. SEC
10. Genetic Privacy Act Proposals. Congress.gov