top of page

4 Million 23andMe Users Breached

Published: January 15, 2024 on our newsletter Security Fraud News & Alerts Newsletter.



The place to follow your ancestral roots, 23andMe, suffered another breach exposing the sensitive data of its users. According to the company, the threat actor gained access to those who used the “DNA Relatives” feature. The genetic testing company learned about the heist after the hacker posted records belonging to four million users on an underground forum.


The hacked component, DNA Relatives, allows users to match their potential genetic relatives worldwide. The trove of breached PII (personally identifiable information) includes location, birth date, family names, and ancestry reports, among other PII. According to Tech Crunch, the hacker, known as “Golem,” posted the exposed genetic profiles belonging to those in Great Britain as well as “the wealthiest people living in the U.S. and Western Europe.”


How It Happened


Although 23andMe is still investigating the breach, it claims the incident wasn’t the result of any system security failures. It is believed that the hacker “credential stuffed” login information from prior data breaches.


Credential stuffing takes previously pilfered username/password combinations and tries them with other websites until a match is made. That match, or millions of matches in this case, gives the hacker access to breached accounts and all the information they hold. One of the biggest enablers of successful credential stuffing is reusing the same username/password for other accounts.


How Stolen PII Benefits Email Phishing


Another problem of hijacked PII is when it’s used for targeted email phishing attacks. Email addresses are often exposed in breaches, giving the hacker the beginnings of a phishing campaign. Also helping a phishing campaign is the boatload of other stolen information used to further target the victim.


Sometimes called “social engineering” the stolen info helps the attacker further lure the target and convince them the email is legitimate. Once done, the hacker can send the victim to spoof websites designed to steal even more information like payment card info, account numbers, and more passwords. The extent of damages to a phishing victim is often left to the hacker’s imagination.


What Can You Do Right Now To Protect Yourself


  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.

  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong and unique password for every account. If you would like to use a password manager, we recommend using one that stores the passwords on your device and not in the cloud.

  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor with an authentication app.  Some forms of 2FA can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

  • Watch out for impersonation attacks. The thieves may contact you posing as the 23 and Me or another company trying to "help" you. Check the company website to see if they are contacting victims..

  • Don't Click. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. If you get a text or email with a link and you want to proceed to the linked website, DON'T CLICK, simply open a browser and navigate directly to the page. 

  • Set up identity monitoring. Identify monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. You may already have access to a ID service through AAA, a credit card, or you financial institution. Check with them and maybe all you need to do is turn on the alerts.



That’s A Wrap, Folks


For now, 23andMe has sent emails to the affected customers alerting them to the breach of the DNA Relatives feature. In a blog post, the company is asking victims to change their passwords and use 2FA for additional identity verification. They also say they’ve “temporarily disabled some features within the DNA Relatives tool…” The company is currently working with law enforcement and other experts as part of the ongoing breach investigation.


Want to schedule a conversation? Please email us at advisor@nadicent.com


bottom of page