23andMe Fined for “Profoundly Damaging” Breach With 7 Million Victims

Remember That 23andMe Breach? The UK Just Brought the Hammer Down

When we last covered 23andMe’s bankruptcy and the dangers of their genetic data retention, the company was already on thin ethical ice, having also leaked the genetic data of nearly 7 million customers according to the Office of the Privacy Commissioner of Canada.

23andMe have just been slapped with a £2.31m fine by a UK watchdog (the Information Commissioner’s Office or ICO) in response to their 2023 data breach. The breach was described as “profoundly damaging” by Information Commissioner John Edwards. The ICO’s findings determined 23andMe failed to secure the medical history, familial relationships, and racial heritage data of nearly 50% of their customers at the time.

Credential Stuffing Breach Didn’t Even Require Hackers

Beyond being “profoundly damaging” the breach was also painfully simple. The hackers leveraged passwords exposed in previous breaches to access about 14,000 accounts (presumably accounts that used shared passwords with other breached sites). Through the 14k individual accounts accessed, the hackers were able to extract data on nearly half of 23andMe’s users.

This method is known as “credential stuffing” – getting a massive volume of stolen credentials, and aiming them at sites to find overlaps in user account credentials.

Preventative methods for this kind of breach are plentiful and have been implemented broadly. 23andMe could have simply monitored breaches, and alerted users if their account may be using an exposed password or enforced 2-factor authentication – this would have mitigated or completely thwarted the breach. Canada’s ICO also recommended strong minimum password requirements and adequate account access monitoring (e.g. new IPs accessing accounts).

A Wake-Up Call for Oversharing Platforms

The 23andMe fine doesn’t exist in a vacuum. It follows increasing scrutiny of platforms that collect and centralize intimate, unchangeable data. DNA isn’t like a password – you can’t reset your genome. Once it’s out there, it’s out there.

And while 23andMe actually blamed users for reusing old credentials, it’s entirely their responsibility to keep the data they are managing and monetizing secure. When a service handles genetic data in particular – the burden of care is significant, and lies with the platform handling the data.

Their security model didn’t fail because of sophisticated attackers – it failed because 23andMe failed to mandate widely used, incredibly standard security measures like MFA and breach checks – HaveIBeenPwned for example, a company dedicated to ethically publishing breached data, even offers an API for companies to programmatically conduct breach checks. If your company is managing password-secured sensitive data, you should absolutely implement something like this.

Why This Matters: You Are the Product, and the DNA Is Forever

If your company is handling personally identifiable information (PII) – let alone detailed genetic information, coupled with PII – your company should be built on a foundation of security. Instead, 23andMe have been more concerned with selling your genetic information and offloading the company to escape years of unprofitable operations.

This kind of harm doesn’t just apply to genetic data – but all personal information that you share with companies. Given that, you need to be vigilant with your own security. Always opting-in to optional MFA and using unique and complex passwords massively improves your data security. If you’re considering giving data to a company that doesn’t offer MFA, you probably shouldn’t.

What You Can Do: How to Delete Your 23andMe Data

If you’ve used 23andMe and are now concerned about the privacy of your genetic data, the platform does give you the option to delete your information. Here’s how to do it:

If this news has you (rightfully) rattled, check our guide on how to delete your genetic data from 23andMe, or just follow the steps below. While the process is needlessly opaque, it is possible – and the sooner you act, the better. Especially before another breach, acquisition, or auction puts your DNA in yet another pair of hands.

1. Log into your 23andMe account.
2. Go to your Settings.
3. Find the section that says “23andMe data”.
4. Click “View”
5. Then click to “Permanently delete data” and confirm your request.

Your Other Data is At Risk

While the fine is a win – the existence of 23andMe incorporated genetic information into the digital footprint of all of their users. Further to this, they’ve also shared, sold, and leaked this incredibly sensitive data.

But, your digital footprint is likely far bigger, contains far more data in many other places – this mosaic of information about you can be leveraged by bad actors in a variety of ways; phishing, vishing, and other scams, along with hacks, harassment and more. The recent Minnesota Shooting even leveraged the digital footprints of politicians to target their victims.

For most people, their footprint is largest on social media – whether public or private (we hope private), your socials are likely a treasure trove of PII about you, your family, and your friends. This drives up the risk of attacks directed at you and those you care about massively.

If you’re looking to clean up your digital footprint elsewhere, tools like Redact.dev can help you mass delete old posts, messages, and account history from dozens of online platforms – giving you more control over your personal data. You can try Redact for free on Facebook, Twitter, Reddit, and Discord simply by downloading the app and setting up a free account.

P.S. Our app is 100% password-less and runs locally; this infrastructure is the most secure and means that no non-essential data leaves your device, and we can’t leak non-existent passwords.