Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
Building global Cyber Resilience through effective Cyber Incident Planning & Response is at the heart of everything we do at Cyber Management Alliance.
We scrutinize past cyber-attacks, ransomware attacks and data breaches to understand the tactics, techniques and procedures most commonly used by threat actors. Studying recent attacks in the past also contains valuable lessons on how Incident Management can be improved and defences strengthened accordingly.
This is why we regularly create informative and visual Cyber Attack timelines and detailed reports which are designed for readability, educational use, and for bolstering cyber resilience. Download our 23andMe Cyber Attack Timeline today.
Don't forget to read our blog on the 23andMe Cyber Attack.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
In 2023, the genetic testing company 23andMe suffered a major data breach in which attackers gained access to customer accounts and harvested sensitive personal and genetic information. Rather than hacking 23andMe’s systems directly, the attackers used credential stuffing — logging in with usernames and passwords leaked from other websites. From a relatively small number of compromised accounts, they were able to scrape data on millions of people through 23andMe’s opt-in DNA Relatives feature, and then leaked and offered the data for sale on cybercrime forums.
The unauthorised access took place over roughly five months, from around 29 April to 27 September 2023, before being detected. A threat actor first advertised stolen 23andMe data online in August 2023, and data samples began appearing publicly in early October 2023. 23andMe confirmed the breach in October, closed its investigation in December 2023, and disclosed further detail — including the theft of health reports and raw genotype data — in January 2024.
The attackers used credential stuffing, a technique where usernames and passwords stolen from unrelated, previously breached websites are tried against another service in the hope that people have reused the same login. 23andMe said the credentials were not taken from its own systems; the accounts were accessed because customers had reused passwords that were already circulating online. Once inside those accounts, the attacker could reach data shared through the DNA Relatives feature.
The data was leaked and advertised by a pseudonymous threat actor known as Golem, posting on cybercrime forums including BreachForums and, earlier, other forums. No named individual or group was formally identified, and the attacker’s claims — such as holding 300 terabytes of data — were not all verified. The motive appeared financial, with the data offered for sale and a headline demand of $50 million.
23andMe said the attacker directly accessed around 14,000 accounts — less than 0.1% of its roughly 14 million customers — through credential stuffing. However, because those accounts were linked to the DNA Relatives feature, the breach exposed profile information for a far larger group: approximately 5.5 million DNA Relatives profiles and about 1.4 million Family Tree profiles, widely reported as around 6.9 million people in total. Early hacker claims of ‘300 TB’ or millions of records were not all substantiated.
The exposed information varied by account but reportedly included full names, usernames, profile photos, sex, date of birth, geographical location, predicted relationships and percentage of DNA shared with matches, and genetic ancestry results. 23andMe later confirmed that, for some customers, health reports and raw genotype data were also accessed. The deeply personal and permanent nature of genetic and ancestry data is what made this breach especially serious.
The threat actor sought to profit from the data rather than extort 23andMe directly. They publicly demanded $50 million for the full dataset and offered subsets for sale — at one point for between $1,000 and $10,000, and elsewhere for as little as $1 to $10 per account in bulk. There is no indication that 23andMe paid a ransom; the data was leaked and sold on cybercrime forums regardless.
Some of the leaked datasets were specifically compiled and labelled by ancestry, including lists said to contain people with Ashkenazi Jewish heritage and Chinese ancestry. This raised serious concern that targeted ethnic data could be misused, especially amid a rise in antisemitic and anti-Asian rhetoric. The Connecticut Attorney General highlighted this specific risk in a formal inquiry to the company.
According to 23andMe, no. The company stated there was no evidence of a data security incident within its own systems and that it was not the source of the leaked credentials. Instead, attackers logged into individual accounts using passwords customers had reused from other breached sites. That said, the incident drew scrutiny over how much data a single compromised account could expose through the DNA Relatives feature, and over the company’s wider security and consent practices.
The breach drew significant legal and regulatory attention. The Connecticut Attorney General sent a formal letter with 14 questions, raising concern that the company may not have met breach-notification requirements and questioning its consent and data-protection practices. At least four class-action lawsuits were filed in California, later joined by others, alleging 23andMe had failed to adequately protect customers’ sensitive genetic data.
23andMe engaged third-party forensic experts, worked with federal law enforcement, and began notifying affected customers. It temporarily disabled some DNA Relatives features, required all existing customers to reset their passwords, and made two-step verification mandatory for new and existing users. It also urged customers to stop reusing passwords and to adopt unique, strong credentials across their accounts.
The 23andMe breach shows that you do not need to be ‘hacked’ directly to suffer a major incident — reused passwords elsewhere can open the door, and features that share data widely can turn a handful of compromised accounts into a mass exposure. The key lessons are enforcing multi-factor authentication, monitoring for credential-stuffing patterns, minimising how much data any one account can reach, and planning breach response and communications in advance. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.