Cyber-attack Timeline: 23andMe

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

23andme Summary cover 23andme timine_500

Download Our Educational Cyber-Attack Timeline (23andMe)

Building global Cyber Resilience through effective Cyber Incident Planning & Response  is at the heart of everything we do at Cyber Management Alliance.

We scrutinize past cyber-attacks, ransomware attacks and data breaches to understand the tactics, techniques and procedures most commonly used by threat actors. Studying recent attacks in the past also contains valuable lessons on how Incident Management can be improved and defences strengthened accordingly.

This is why we regularly create informative and visual Cyber Attack timelines and detailed reports which are designed for readability, educational use, and for bolstering cyber resilience. Download our 23andMe Cyber Attack Timeline today. 

Don't forget to read our blog on the 23andMe Cyber Attack.

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Mr. Cooper attack document and timeline.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the 23andMe Cyber Attack

  • What happened in the 23andMe data breach?

    In 2023, the genetic testing company 23andMe suffered a major data breach in which attackers gained access to customer accounts and harvested sensitive personal and genetic information. Rather than hacking 23andMe’s systems directly, the attackers used credential stuffing — logging in with usernames and passwords leaked from other websites. From a relatively small number of compromised accounts, they were able to scrape data on millions of people through 23andMe’s opt-in DNA Relatives feature, and then leaked and offered the data for sale on cybercrime forums.

  • When did the 23andMe breach take place?

    The unauthorised access took place over roughly five months, from around 29 April to 27 September 2023, before being detected. A threat actor first advertised stolen 23andMe data online in August 2023, and data samples began appearing publicly in early October 2023. 23andMe confirmed the breach in October, closed its investigation in December 2023, and disclosed further detail — including the theft of health reports and raw genotype data — in January 2024.

  • How did the hackers get into 23andMe, and what is credential stuffing?

    The attackers used credential stuffing, a technique where usernames and passwords stolen from unrelated, previously breached websites are tried against another service in the hope that people have reused the same login. 23andMe said the credentials were not taken from its own systems; the accounts were accessed because customers had reused passwords that were already circulating online. Once inside those accounts, the attacker could reach data shared through the DNA Relatives feature.

  • Who was behind the 23andMe breach?

    The data was leaked and advertised by a pseudonymous threat actor known as Golem, posting on cybercrime forums including BreachForums and, earlier, other forums. No named individual or group was formally identified, and the attacker’s claims — such as holding 300 terabytes of data — were not all verified. The motive appeared financial, with the data offered for sale and a headline demand of $50 million.

  • How many people were affected by the 23andMe breach?

    23andMe said the attacker directly accessed around 14,000 accounts — less than 0.1% of its roughly 14 million customers — through credential stuffing. However, because those accounts were linked to the DNA Relatives feature, the breach exposed profile information for a far larger group: approximately 5.5 million DNA Relatives profiles and about 1.4 million Family Tree profiles, widely reported as around 6.9 million people in total. Early hacker claims of ‘300 TB’ or millions of records were not all substantiated.

  • What data was stolen in the 23andMe breach?

    The exposed information varied by account but reportedly included full names, usernames, profile photos, sex, date of birth, geographical location, predicted relationships and percentage of DNA shared with matches, and genetic ancestry results. 23andMe later confirmed that, for some customers, health reports and raw genotype data were also accessed. The deeply personal and permanent nature of genetic and ancestry data is what made this breach especially serious.

  • Was a ransom demanded or paid in the 23andMe breach?

    The threat actor sought to profit from the data rather than extort 23andMe directly. They publicly demanded $50 million for the full dataset and offered subsets for sale — at one point for between $1,000 and $10,000, and elsewhere for as little as $1 to $10 per account in bulk. There is no indication that 23andMe paid a ransom; the data was leaked and sold on cybercrime forums regardless.

  • Why were people of Ashkenazi Jewish and Chinese heritage particularly concerned?

    Some of the leaked datasets were specifically compiled and labelled by ancestry, including lists said to contain people with Ashkenazi Jewish heritage and Chinese ancestry. This raised serious concern that targeted ethnic data could be misused, especially amid a rise in antisemitic and anti-Asian rhetoric. The Connecticut Attorney General highlighted this specific risk in a formal inquiry to the company.

  • Was 23andMe’s own system hacked?

    According to 23andMe, no. The company stated there was no evidence of a data security incident within its own systems and that it was not the source of the leaked credentials. Instead, attackers logged into individual accounts using passwords customers had reused from other breached sites. That said, the incident drew scrutiny over how much data a single compromised account could expose through the DNA Relatives feature, and over the company’s wider security and consent practices.

  • How did regulators and the courts respond to the 23andMe breach?

    The breach drew significant legal and regulatory attention. The Connecticut Attorney General sent a formal letter with 14 questions, raising concern that the company may not have met breach-notification requirements and questioning its consent and data-protection practices. At least four class-action lawsuits were filed in California, later joined by others, alleging 23andMe had failed to adequately protect customers’ sensitive genetic data.

  • How did 23andMe respond to the breach?

    23andMe engaged third-party forensic experts, worked with federal law enforcement, and began notifying affected customers. It temporarily disabled some DNA Relatives features, required all existing customers to reset their passwords, and made two-step verification mandatory for new and existing users. It also urged customers to stop reusing passwords and to adopt unique, strong credentials across their accounts.

  • What can organisations and individuals learn from the 23andMe breach?

    The 23andMe breach shows that you do not need to be ‘hacked’ directly to suffer a major incident — reused passwords elsewhere can open the door, and features that share data widely can turn a handful of compromised accounts into a mass exposure. The key lessons are enforcing multi-factor authentication, monitoring for credential-stuffing patterns, minimising how much data any one account can reach, and planning breach response and communications in advance. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning. 

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.

Download the 23andMe Cyber Attack detailed document and timeline today. 

download template