23andMe Breach: What Happened and How to Protect Your DNA Data

How the Attack Started: Credential Stuffing

The 23andMe data breach began in October 2023, when hackers used a technique called credential stuffing to access approximately 14,000 user accounts. Credential stuffing works by taking username-and-password combinations leaked from other breaches and trying them against a new service. Because many people reuse passwords across sites, the attackers were able to log in to thousands of 23andMe accounts without breaking any encryption.

How DNA Relatives Multiplied the Damage

But the damage did not stop at those 14,000 accounts. Once inside, the attackers exploited the DNA Relatives feature, a social tool that lets users discover and connect with genetic matches. Through that feature, the hackers scraped profile data from roughly 6.9 million additional users — approximately 5.5 million through DNA Relatives profiles and approximately 1.4 million through Family Tree profiles.

Public Disclosure and Full Scope

The stolen data first appeared on BreachForums on October 1, 2023, posted by a threat actor using the handle 'Golem,' initially targeting people of Ashkenazi Jewish and Chinese descent. 23andMe disclosed the breach publicly on October 6, 2023, and over the following weeks the full scope became clear. On December 1, 2023, the company confirmed the 6.9 million figure in an SEC filing. The breach became one of the largest exposures of genetic data in history, and it raised fundamental questions about whether consumer genomics companies can be trusted to safeguard the most personal information imaginable: your DNA.

Directly Compromised Accounts

The 23andMe data breach exposed several categories of sensitive personal and genetic information. For the approximately 14,000 directly compromised accounts, the attackers had full access to everything in those profiles, including:

• Raw genotype data
• Ancestry composition reports
• Health predisposition reports
• Account details

Data Scraped via DNA Relatives

For the 6.9 million users scraped through DNA Relatives, the exposed data included display names, birth years, ancestry composition percentages, predicted relationships to other users, geographic locations, and in some cases family surnames and profile photos. While full raw DNA files were not scraped for this larger group, the ancestry and relationship data is deeply revealing. Knowing someone's precise ethnic background, their birth year, their location, and their genetic relatives creates a detailed identity profile. This data cannot be changed like a credit card number. Your ancestry composition and DNA relative connections are permanent.

Family Network Exposure

The breach also exposed the structure of family networks. Attackers could map out who is related to whom, reconstruct family trees, and potentially identify individuals even if they never used 23andMe themselves. For adoptees, donor-conceived individuals, or anyone with sensitive family circumstances, this kind of exposure can have life-altering consequences that go far beyond typical data breaches.

Terms of the Class-Action Settlement

In September 2024, 23andMe agreed to an initial $30 million class-action settlement. Following the company's March 2025 bankruptcy filing, the settlement was revised upward to $50 million and received final court approval on January 20, 2026. The settlement covered all U.S. users whose data was exposed, and it required 23andMe to implement stronger security measures including mandatory two-factor authentication and regular third-party security audits.

What $50 Million Actually Means Per Person

On paper, $50 million sounds significant. In practice, payouts are tiered: eligible claimants can receive between $100 and $165 depending on the type of data exposed, with documented extraordinary losses eligible for up to $10,000. For the majority of the 6.9 million affected users, the payout barely covers a credit monitoring subscription.

Why Legal Frameworks Fall Short for DNA

The settlement also highlighted how poorly existing legal frameworks handle genetic data breaches. Unlike financial data, DNA cannot be reissued. There is no equivalent of freezing your credit or getting a new account number. Once your ancestry composition and relative connections are in the hands of bad actors, that information is out there permanently. The settlement required 23andMe to delete genetic data for inactive accounts after a set period, but for the millions of users whose data was already scraped and posted on hacking forums, the damage was already done. The payout felt more like a symbolic gesture than a meaningful remedy for what many consider the most personal data breach in consumer technology history.

The Chapter 11 Filing

In March 2025, 23andMe filed for Chapter 11 bankruptcy protection. The company had been struggling financially for years, with its stock price down more than 98 percent from its peak after going public through a SPAC deal in 2021. The breach accelerated the decline in consumer trust, and the company's attempts to pivot into drug development did not generate enough revenue to offset the losses.

The Bidding Process and Acquisition

The bankruptcy filing raised an urgent question: what happens to the genetic data of roughly 15 million customers when the company is sold? Multiple bidders expressed interest, including pharmaceutical company Regeneron. Privacy advocates, attorneys general, and members of Congress raised alarms. The California Attorney General issued a public warning encouraging 23andMe users to download their data and delete their accounts before a sale. In July 2025, TTAM Research Institute — a nonprofit founded by 23andMe co-founder Anne Wojcicki — acquired the company for $305 million.

What the TTAM Acquisition Means for Your Data

TTAM committed to maintaining 23andMe's existing privacy policies and established a consumer-privacy advisory board. However, your data is now held by a different legal entity than the one you originally consented to. The structural risk remains: if TTAM's ownership changes in the future, the cycle of uncertainty around your genetic data repeats. DNA data stored under any organization is subject to the corporate lifecycle — acquisitions, policy changes, and future breaches are always possible.

If you have ever used 23andMe, there are immediate steps you should take to protect your DNA data.

Step 1: Download Your Raw Data

Log into your 23andMe account and download your raw data file. Go to Settings, then scroll to 23andMe Data, and request a download. This gives you a local copy of your genotype data that you can use with third-party analysis tools without relying on 23andMe to remain operational.

Step 2: Opt Out of DNA Relatives

Opt out of DNA Relatives if you have not already. This was the feature the hackers exploited to scrape 6.9 million profiles. Navigate to Settings, then DNA Relatives, and revoke your consent.

Step 3: Delete Your Account

Consider deleting your 23andMe account entirely. Go to Settings, then 23andMe Data, and select the option to permanently delete your data. The company — now operating under TTAM Research Institute following the July 2025 acquisition — is required to destroy your genetic sample and remove your data from their systems, though the process can take several weeks.

Step 4: Secure Your Other Accounts

Check whether your email address was part of the breach using haveibeenpwned.com, and change your password on any service where you used the same credentials. Enable two-factor authentication everywhere you can.

Step 5: Use a Privacy-First Analysis Tool

If you still want to explore your genetic data, use a privacy-first analysis tool that does not require uploading your DNA file to anyone's servers. This is the single most effective way to protect your DNA going forward: keep your data on your own device.

A Personal Experience with the Breach

DNA Explore exists because of the 23andMe breach. Founder Peter Hollens was among the millions of users whose data was exposed in the October 2023 attack. Like millions of others, he had trusted 23andMe with his raw DNA data and used the DNA Relatives feature to explore his genetic connections. When the breach happened, he realized there was no way to undo the exposure, and the experience fundamentally changed how he thought about genetic privacy.

Privacy as an Architectural Guarantee

Peter had already been exploring ways to make consumer genomics more accessible, but the breach crystallized the mission: build a DNA analysis tool where the data never leaves the user's device. Not as a marketing claim, but as an architectural guarantee. DNA Explore processes your raw DNA file entirely in your browser using client-side JavaScript. There is no upload endpoint, no server-side storage, no database of genetic data that can be breached, subpoenaed, or sold in a bankruptcy proceeding. The analysis runs locally on your machine and the results stay on your machine.

Building What Should Have Existed All Along

It is an approach we believe should be the standard for consumer genomics. After watching 23andMe go through bankruptcy and knowing that the genetic data of millions — including his own — had been posted on hacking forums, Peter built the tool he wished had existed before he ever uploaded his DNA to a corporate server.

How It Works

DNA Explore is a browser-based genetic analysis tool built on a privacy-first architecture. You drag and drop your raw DNA file from 23andMe or AncestryDNA into the app, and everything is processed locally in your browser. Your genome data never touches a server. There is no account to create, no cloud storage, and no third party that ever sees your file.

What the Analysis Covers

The analysis covers:

• Health predispositions
• Pharmacogenomics for understanding how you metabolize common medications
• Nutrigenomics for diet and supplement recommendations based on your genetic profile
• Polygenic risk scores that combine hundreds of variants into meaningful risk estimates
• Gene-gene interactions that reveal how your variants work together

These reports are for informational and educational purposes only and do not replace consultation with a qualified healthcare provider. An AI-powered chat feature lets you ask questions about your results in plain language.

Simple, One-Time Pricing

DNA Explore costs $9.99 as a one-time payment. There is no subscription, no upselling, and no recurring fees. You get a free preview of a subset of your results before paying, so you can evaluate the tool with your own data before committing. In a post-breach world where 23andMe is bankrupt and genetic data has proven to be a high-value target, the safest way to analyze your DNA is to never let it leave your device. That is exactly what DNA Explore was designed to do.

A Turning Point for Consumer Genomics

The 23andMe data breach marked a turning point for consumer genomics. For years, the industry operated on the assumption that people would willingly trade their most personal data for ancestry pie charts and health reports. The breach, the settlement, and the bankruptcy shattered that assumption. Consumer trust in centralized genetic databases is at an all-time low, and it may never fully recover.

The Regulatory Landscape

Regulatory responses are emerging but remain slow. Some states have introduced genetic privacy bills, and there is growing pressure on Congress to pass federal legislation specifically protecting DNA data. The European Union's GDPR already treats genetic data as a special category, but enforcement has been inconsistent.

Architecture Over Legislation

In the meantime, the most effective protection is architectural, not legal. If a company never has your data, it cannot breach it, sell it, or hand it over in bankruptcy. This is the principle behind privacy-by-design, and it is the foundation of tools like DNA Explore.

The Real Lesson of the Breach

The lesson of the 23andMe breach is not that genetic testing is dangerous. Understanding your DNA can be genuinely valuable for health decisions, medication choices, and personal knowledge. The lesson is that uploading your DNA to a corporate server creates a permanent risk that no privacy policy, security audit, or class-action settlement can fully mitigate. The technology to analyze DNA locally already exists. The question is whether consumers will demand it. To explore your options, see our guide to the cheapest DNA testing in 2026.