23andMe data breach
The 2023 23andMe breach began as credential stuffing against reused customer credentials rather than a direct compromise of every affected account. The attack accessed 18,222 accounts, but the DNA Relatives feature exposed information about almost seven million people through the relationship graph around those accounts.
The joint Canadian and UK investigation found inadequate password controls, optional rather than mandatory multi-factor authentication, weak detection and logging, and insufficient protection around raw DNA downloads. The UK regulator imposed a GBP 2.31 million penalty in 2025.
The incident matters in Case for privacy and security because genetic data is persistent and relational. A password can be changed; ancestry, kinship, health indicators, and the implications for relatives cannot be reissued after disclosure.