Credential‑Stuffing Breach Exposes Genetic Data of ~7 Million 23andMe Users via DNA Relatives Feature
What Happened – In May 2026 California sued the successor of 23andMe for a 2023 breach that began with credential‑stuffing attacks on the login page. Attackers compromised ~14 k accounts, then leveraged a coding error in the “DNA Relatives” feature to scrape genetic data of nearly 7 million users.
Why It Matters for TPRM –
- Genetic information is immutable and can be weaponized for discrimination, extortion, or targeted hate.
- The breach demonstrates how a modest credential compromise can cascade into massive data exposure through insecure product features.
- Legal and regulatory fallout (statutory penalties, class‑action risk) can affect downstream partners and data‑processing agreements.
Who Is Affected – Direct‑to‑consumer genetic testing providers, health‑tech platforms that ingest consumer DNA data, and any third‑party services that integrate with 23andMe APIs.
Recommended Actions –
- Review contracts with DNA‑testing vendors for security‑by‑design clauses and breach‑notification obligations.
- Verify that any integrated APIs enforce strong authentication, rate‑limiting, and least‑privilege data access.
- Conduct a risk assessment of downstream data flows that could inherit exposed genetic records.
Technical Notes – Attack vector: credential‑stuffing (stolen credentials) → lateral movement → exploitation of a coding error in the DNA Relatives feature that allowed bulk scraping of linked profiles. No public CVE; the vulnerability was a logic flaw in the feature’s access controls. Data types exposed: full genomic raw data, health‑related traits, ancestry reports, and familial relationship mappings. Source: Malwarebytes Labs