23andMe Data Breach

A data breach at 23andMe could affect millions of users and their relatives.

Register with KP Law to find out what happened, and whether you can claim compensation.

Have you been affected by the 23andMe data protection breach?

Genetics testing company 23andMe has experienced a serious data breach. The security violation involves the DNA Relatives feature that allows users to compare ancestry information. The compromised data includes:

Other sensitive information could also be affected.  

23andMe also stores genetic information about the relatives of some of its users. So even if these relatives didn’t send a sample or consent to any data collection, they could also be involved in this privacy violation.     

Following the breach, the hackers are offering the assembled genetic information of thousands of people for sale on the dark web.  

KP Law is investigating this incident, and we are considering a no-win, no-fee group action claim to help victims living in England & Wales claim compensation. To register your interest in joining this action, sign up below and we will be in touch to invite you to join our claim.   

Victims of the 23andMe data breach could be at risk

The hackers are now offering the assembled genetic information of thousands of people for sale on the dark web. 23andMe has not offered victims any credit monitoring or identity protections following the breach.

According to media reports, some of the data for sale specifically targets people with Chinese and Ashkenazi Jewish ancestry. This has raised serious concerns.

To ensure they do not fall victim to further attacks, anyone affected by the 23andMe data breach should be vigilant. At KP Law, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. Our data protection experts strongly advise anyone involved in this breach to be vigilant and take necessary precautions.

We may be able to claim compensation for any distress or financial losses experienced because of this breach and we urge anyone affected to register with us.   


Talk to our expert data breach lawyers today on 0151 459 5850 

23andMe data breach timeline

  • 6 October 2023.
    News broke that 23andMe had experienced a massive data breach.
  • 20 October 2023.
    23andMe said it was temporarily disabling features in the "DNA Relatives" to protect user privacy.
  • 24 October 2023.
    23andMe sent emails to several customers to inform them of a breach into the "DNA Relatives" feature

Latest news

Your questions answered

FAQs about the 23andMe data breach

According to the company, hackers may have used credentials leaked from other websites to breach 23andMe accounts – a technique known as ‘credential stuffing’.  

The compromised data includes:  

      • Relationship labels  
      • Ancestry reports  
      • Matching DNA segments  
      • Location  
      • Birth year  
      • Ethnicity   
      • Profile pictures 
      • Family names.     

Other sensitive information could also be affected. 

In an email to affected it users, 23andMe said: 

“We are working with third-party forensic experts on this investigation, as well as federal law enforcement. We have also required all customers to reset their passwords. Security and privacy are the highest priorities at 23andMe. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Beginning in 2019, we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.  

23andMe has also advised users change their login information and enable two-factor authentication to keep their accounts secure. 23andMe has not offered victims any credit monitoring or identity protections following the breach.   

23andMe should be in touch to notify affected individuals. 

Anyone who thinks they might be involved should take immediate steps to protect themselves.  Find out how to do this here 

If you live in England or Wales and you receive notification that you are affected by the 23andMe data breach, register to receive updates on our investigation. We’ll let you know what’s happening, and if and when you can make a no-win, no-fee data breach compensation claim.   

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions. 

If we do launch a group action, there are no costs to join a claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At KP Law, our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny.