The Breach that Broke 23AndMe

Written By Juli Patty

For the last couple of days, warnings have filled the headlines: 23AndMe files for bankruptcy; delete your data now. And while that’s important, and 23AndMe customers should certainly take the precautions recommended by experts, there’s another critical factor underlying these headlines: a cybersecurity breach.  

 

23AndMe’s bankruptcy filing, according to most reports, is partly related to declining demand for DNA testing kits, but the company might have weathered that change or been in a position to pivot its offerings if it weren’t for the significant cybersecurity breach it suffered in 2023 that exposed the personal data of approximately 6.9 million users. 

 The cyberattack, which occurred over six months, involved hackers using techniques such as credential stuffing to gain unauthorized access to user profiles. 

[Side note: Credential stuffing is a type of cyberattack in which hackers use stolen username-password combinations from one data breach to try and gain unauthorized access to other accounts. Since many people reuse passwords across multiple sites, attackers can automate login attempts using bots or scripts to test these stolen credentials on various websites.] 

The Wired Magazine analysis pointed out in 2024 that 23AndMe indicated the breach was due not to their own security flaws, but instead the fault of weak passwords set by users. Perhaps a system requirement for a specified password complexity as well as (another excellent option)  multifactor authentication could have provided another layer or two of security. Regardless, 23AndMe did not detect any malicious activity, even though the hackers were compromising accounts from April to September 2023.1  

The compromised data included sensitive information such as names, profile photos, birth years, locations, family surnames, and ethnicity estimates, and the fallout from the breach was severe: 

1.     Legal costs and settlements: In September 2024, 23andMe agreed to pay $30 million to settle a lawsuit over the data breach.2 This substantial settlement directly affected the company's finances. 

2.     Increased liabilities: The breach led to numerous federal and state class action lawsuits against 23andMe, driving up the company's liabilities.3 

3.     Reputation damage: The exposure of personal information of approximately 6.9 million customers dealt a significant blow to the company's reputation, reflected in the company’s immediate decline in sales.  

4.     Declining valuation: After going public in 2021 with a valuation of $6 billion ($17.65 per share), 23andMe's value plummeted to about $48 million ($1.78 per share) following the 2023 data breach.4 

5.     Increased cybersecurity costs: A key takeaway from this story is that implementing a strong cybersecurity posture is significantly less expensive than recovering from a breach. 23AndMe learned this one the hard way, having to pay the legal, reputational, and investor price along with the costs of implementing increased security measures (see below).5  

6.     Customer compensation: As part of the legal settlement, 23andMe also had to provide three years of security monitoring to affected customers, adding to its financial burden.6 

Data Security Changes Post-Breach 

Following the data breach, 23andMe implemented several measures to improve data security: 

1.     Password reset: The company required all customers to reset their passwords.7 

2.     Two-factor authentication (2FA): 23andMe mandated the use of two-step verification for all new and existing customers when logging in to the platform.8 

3.     Enhanced login security: The company implemented stricter controls to protect against credential stuffing attacks.9 

4.     Temporary feature disabling: As a precautionary measure, 23andMe temporarily disabled some features within the DNA Relatives tool to protect customer privacy.10 

5.     Increased monitoring: The company engaged third-party forensic experts to assist with the investigation and enhance their security monitoring capabilities.11 

6.     Collaboration with law enforcement: 23andMe worked with federal law enforcement officials to address the security incident.12 

Note that the source for many of these security changes is the 23AndMe company blog, one of many efforts the company made to communicate with the public and stakeholders that it was, in fact, safe to continue using their services. Despite these efforts, 23andMe ultimately filed for bankruptcy on March 23, 2025, due to ongoing financial challenges exacerbated by the data breach. 

This case is a stark reminder of the potential consequences of cybersecurity breaches, particularly for companies handling sensitive personal and genetic information. While many companies handling this kind of sensitive data are bound by industry regulations, such as the Health Insurance Portability Accountability Act (HIPAA), which sets rules about how your health data can be shared and must be safeguarded, 23andMe was not regulated by HIPAA rules. As a direct-to-consumer company, 23AndMe is not obligated to follow HIPAA rules, and when consumers turned over their data, they did so as unprotected consumers, not HIPAA-protected patients.  

 

What’s Your Risk Level?

If you are reading the stories of 23AndMe’s downfall and wondering how your company could be exposed, there is no time like the present to find out. The JSCM Group team can provide a comprehensive threat report that helps you get the full picture of the risk you’re facing and recommendations for ensuring your company’s - and your customers’ - safety.  

1 https://www.wired.com/story/23andme-failed-to-detect-account-intrusions-for-months/ 

2 https://www.usatoday.com/story/money/2024/09/16/23andme-class-action-lawsuit-settlement/75250132007/ 

 3 https://techxplore.com/news/2025-03-23andme-bankruptcy-dna-privacy.html 

4 https://news.harvard.edu/gazette/story/2025/03/what-happens-to-your-genetic-data-if-23andme-collapses/ 

5 https://www.risk-strategies.com/blog/understanding-the-23andme-data-breach-and-ensuring-cybersecurity

6 https://www.reuters.com/technology/cybersecurity/23andme-settles-data-breach-lawsuit-30-million-2024-09-13/ 

7 https://blog.23andme.com/articles/addressing-data-security-concerns 

8 https://www.isms.online/data-protection/what-businesses-can-learn-from-23andmes-breach-response

9 https://www.isms.online/data-protection/what-businesses-can-learn-from-23andmes-breach-response/

10 https://blog.23andme.com/articles/addressing-data-security-concerns 

11 https://blog.23andme.com/articles/addressing-data-security-concerns 

12 https://blog.23andme.com/articles/addressing-data-security-concerns  

 

 

 

Juli Patty
Previous

CEO's Playbook for Risk Management and Crisis Response, Part 1
Next

Unraveling the Impact: How Cybersecurity Threats Disrupt Key Business Functions from Supply Chain to HR