23andMe notifies customers of DNA data breach  


Genetics testing company 23andMe, has emailed customers to alert them to a data breach. The security violation involves the DNA Relatives feature that allows customers to compare ancestry information with other users. The compromised data includes:

Millions of customers could be affected, but 23andMe has not offered victims any credit monitoring or identity protections following the breachInstead, the company has encouraged users to strengthen their passwords and enable multi-factor authentication.   

Victims of the 23andMe data breach are at risk

Following the hack, customers of 23andMe have taken to social media to share concerns that their sensitive data could be used against them. These worries are not unfounded because the hackers are now offering the assembled genetic information of thousands of people for sale on the dark web. According to media reports, this includes sale lists for people with Chinese and Ashkenazi Jewish ancestry, leading to concerns over how this data could be used. 

How did the data breach happen?

Unlike in other high-profile data breaches, on this occasion the hackers did not target the company’s servers. Instead, they targeted hundreds of individual user accounts using login credentials from previously compromised websites. This technique is called ‘credential stuffing’. After gaining access to some user accounts, the hackers then leveraged DNA matches to obtain information about thousands of other people.

Concerningly, 23andMe also stores genetic information about the relatives of some of its users, even if these relatives didn’t send a sample or consent to any data collection. As such, the ramifications of this breach could be considerable.

Claim compensation for the 23andMe data breach

In the wake of the 23andMe data breach, several actions have been launched in the US against the genetic testing company. Complaints include negligence, invasion of privacy, breach of contract, unjust enrichment, and other claims. There are also allegations that 23andMe’s response to the hack was deficient.  

We are investigating this incident to find out how it affects users and their relatives in England & Wales. If you receive notification of your involvement in this breach, sign up below to join our no-win, no-fee action and receive updates on this case.  

In March 2024, our firm changed its name to KP Law. 

Share this article: