Pairs with the Crisis Response Playbook — a ready-to-use strategy tool, filled for 23andMe. Included with a subscription, or $1.99.
In July 2023, someone logged into a single free 23andMe account more than a million times in one day — enough to crash the platform — and tried to transfer 400 profiles out of it.3 These are not subtle events. They are the digital equivalent of a stranger rattling every door on a street, then loading a moving van. 23andMe investigated, and moved on. It did not connect the rattling to the breach already five months underway.3 The next month, a Reddit post claimed ten million records had been stolen. The company called it a hoax.3 By the time it admitted anything was wrong, in October, the data was already for sale.
The official story is that 23andMe was hacked, and the hack destroyed it. Almost every part of that is wrong. 23andMe's own systems were never breached — the company said so itself, that it had 'no indication of a data security incident within our systems.'2 And the breach, on its own, was small. What turned a small breach into a company-ending event was not the attacker. It was 23andMe's own product, and then its own response to the public.
A 14,000-account problem became a 6.9-million-person one
Here is the mechanism, and it is the whole story. The attackers used credential stuffing — passwords harvested from other companies' breaches, including the earlier MyHeritage breach, tried against 23andMe accounts.4 That technique only works against people who reused a password, so it caught a small slice: fewer than 14,000 accounts, less than 0.1% of 23andMe's roughly 14 million customers.2 On its own, that is a Tuesday in cybersecurity — a rounding error of compromised logins. It should never have made the news.
But 23andMe had built a feature called DNA Relatives, and DNA Relatives is the reason this story exists. It is opt-in, and it is the emotional core of the product: it shows you the strangers who share your genes, with their display names, birth years, ancestry estimates, and how closely you match. To deliver that, every opted-in account can see across to others. So when the attacker stole 14,000 front-door keys, those keys opened a window onto everyone else. Through those compromised accounts, the attacker scraped roughly 5.5 million DNA Relatives profiles and 1.4 million Family Tree profiles2 — almost 7 million people worldwide, none of whom had been hacked, all of whom had been exposed.3
| The actual compromise | The exposure | |
|---|---|---|
| How it happened | Credential stuffing (reused passwords) | The DNA Relatives feature, working as designed |
| People affected | Fewer than 14,000 accounts (<0.1%) | Almost 7 million people |
| 23andMe systems breached | No | No |
| What was taken | Account access | Names, ethnicity estimates, match %, family trees |
This is the thesis, and it reframes the entire event: 23andMe's collapse was not a security failure so much as a product-liability failure. The attacker exploited reused passwords. The 6.9-million-person blast radius was built by 23andMe, on purpose, as a feature, years earlier. The company had also offered multi-factor authentication since 2019 — but kept it optional, explicitly to avoid 'friction in the user experience,' per the joint Canada-UK regulators. Fewer than 22% of customers had turned it on.3 Every one of those choices was a small, reasonable-sounding trade for growth. Together they loaded the gun the attacker eventually fired.
The crisis response that cost more than the crisis
A company can survive a breach. What 23andMe could not survive was how it behaved around one. According to California's complaint, the company ignored 1,300 login requests per minute from a single IP address — a textbook attack signature — and, more damningly, paid the threat actor $400,000 in cryptocurrency to disclose the exploited vulnerabilities and remove damaging posts.4 The complaint alleges that while it was negotiating that quiet ransom, it was telling the public it had not suffered a system breach.4 One message for the regulators-to-come, another for the attacker. Both could not be true.
“We do not have any indication that there was a data security incident within our systems.”2
Then it reached for the worst move in the crisis playbook: it blamed the victims. The company's framing leaned on the fact that the breach started with users reusing passwords — technically true, strategically suicidal.4 When you have spent years marketing yourself as the custodian of the most personal data a person owns, 'you should have picked a better password' is not a defense. It is a confession that you never thought your job was to protect them from themselves. Regulators heard it that way. So did 28 attorneys general, who later argued the company should not be allowed to sell users' data in bankruptcy at all.8
The bill for all of this was not the breach — it was the legal exposure the response created. The class-action settlement, agreed in principle at $30 million, climbed to a final $50 million approved in January 2026.6 A Consumer Privacy Ombudsman's 200-plus-page report concluded the company could not assure that data could be sold in bankruptcy without violating non-bankruptcy law absent affirmative customer consent — and noted that customers had alleged they could not even reliably delete their data or destroy their samples despite the company's promises.5 California's AG sued. Congress held a hearing.8 None of that was triggered by 14,000 stolen logins. It was triggered by what 23andMe did after.
Wasn't it the business model, not the breach?
The honest counter is that 23andMe was already dying. Its product was a one-time purchase — you spit in a tube once and never need to again — with no durable repeat revenue, and its bet on turning genetic data into pharmaceutical licensing never paid off. That impairment was real, and it would have caught up with the company regardless. So it is fair to say the breach didn't kill a healthy business; it pushed a sick one off a ledge it was already walking toward. But that concedes the point rather than rebutting it. A company with thin margins and no second sale cannot afford a self-inflicted regulatory and litigation crisis — and a $50 million settlement, a 28-state coalition, and a Congressional hearing are exactly the kind of weight a structurally fragile business cannot carry. The breach didn't have to be fatal. The response made it so.
The instinct after a breach is to count the locks that failed. The more important question is what each compromised account can <em>reach</em> — because that, not the attacker's skill, sets the size of the disaster. 23andMe's DNA Relatives feature meant 14,000 keys opened a window onto 7 million people; the exposure was a design decision made years before any attacker showed up. So audit your features the way an attacker reads your org chart: every cross-account visibility, every 'frictionless' default, every optional safeguard is a multiplier on the next breach. And when it comes: tell one true story, to everyone, at once. The gap between what 23andMe told the public and what it paid the attacker is what turned a security event into a liability event — and liability is what does not file for bankruptcy and walk away.
The data lived on. In July 2025, after the Eighth Circuit refused to block the sale, 23andMe's assets went for $305 million to TTAM Research Institute — a nonprofit led by co-founder Anne Wojcicki, which outbid Regeneron's $256 million and pledged to keep the existing privacy policies in perpetuity.7 The genomes survived their company. That is the quiet, unsettling ending: the thing 23andMe could never quite protect outlasted the corporation built to hold it.
23andMe was not undone by a hacker who got past its defenses. It was undone by a feature that scaled a small breach into a national one, and by a response that scaled a manageable problem into a fatal one. The lesson is colder than 'use a better password.' It is that in a business built on the most sensitive data a person owns, your real exposure is never the strength of your locks — it's the reach of your features and the honesty of your apology. 23andMe got both wrong, in that order, and discovered what each one costs.
Crisis Response Playbook
A playbook for a crisis already in motion: who decides, which plays fire on which trigger, and what gets said to whom. It replaces panic and the all-hands meeting with a pre-agreed sequence each person can run alone. Blank to pre-load before a crisis hits; filled as the worked example reconstructing the plays the story's team ran — and the ones they should have.
Included with any subscription, or unlock this tool for $1.99. Get it → · See plans →
Sources
Where this comes from — the filings, records, and reporting behind it.
- 123andMe filed a Form 8-K with the SEC on October 10, 2023, disclosing that a threat actor accessed user profile information shared through the DNA Relatives feature; an amended 8-K/A was filed with supplemental detail including that 23andMe required all users to reset passwords on October 10, 2023, and mandated two-step verification for all users on November 6, 2023.
- 223andMe's own blog (December 2023) confirmed: the threat actor accessed fewer than 14,000 accounts (less than 0.1% of 14 million customers) via credential stuffing, then used those accounts to access ~5.5 million DNA Relatives profiles and ~1.4 million Family Tree profiles; the company stated it had no indication of a breach within its own systems; MFA had been offered since 2019 but was not mandatory.
- 3Joint Canada-UK ICO investigation (published June 17, 2025) found: the credential-stuffing attack began April 29, 2023, and ran for five months; in July 2023 the hacker logged into a free account over one million times in one day (crashing the platform) and attempted 400 profile transfers — both investigated by 23andMe but not connected to the larger breach; in August 2023 a claim of 10M+ stolen records was dismissed as a hoax; fewer than 22% of customers had opted into MFA or SSO; 23andMe explicitly chose not to make MFA mandatory to avoid user-experience friction; 23andMe's password policy did not meet 2023 industry best-practice standards; total affected worldwide was almost 7 million, including ~320,000 in Canada and 155,600 in the UK.
- 4The California AG's complaint (People v. Chrome Holding Co., SF Superior Court, May 2026) alleges: 23andMe ignored 1,300 login requests per minute from a single IP address (a classic red flag); 23andMe paid the threat actor $400,000 in cryptocurrency in exchange for disclosing vulnerabilities and removing damaging online posts; 23andMe publicly stated it had not experienced a system breach while simultaneously negotiating the ransom; the company downplayed the sensitivity of stolen data and attempted to shift blame to customers; ~855,541 Californians were affected; the attack exploited credentials stolen in prior breaches including the MyHeritage breach.
- 523andMe filed for Chapter 11 bankruptcy on March 23, 2025, in the U.S. Bankruptcy Court for the Eastern District of Missouri; the court-appointed Consumer Privacy Ombudsman issued a 200+ page report on June 11, 2025, concluding the company could not assure that applicable non-bankruptcy laws would not be violated by the data sale without affirmative customer consent; the Ombudsman also found that consumers had alleged difficulties actually deleting their data and destroying biological samples despite company representations.
- 6Class-action settlement: 23andMe agreed to a $30 million settlement (later proposed to increase to $50 million post-bankruptcy); Judge Brian C. Walsh granted final approval on January 30, 2026; settlement covers all U.S. claims regarding the 2023 credential-stuffing incident; claims deadline passed February 17, 2026; plaintiffs' counsel receive one-quarter to one-third of the fund; class members also receive three years of complimentary monitoring services.
- 7TTAM Research Institute — a nonprofit public benefit corporation led by 23andMe co-founder and former CEO Anne Wojcicki — acquired substantially all of 23andMe's assets for $305 million; the sale was approved by U.S. Bankruptcy Court Judge Brian Walsh on June 30, 2025, and closed July 14, 2025; TTAM outbid Regeneron Pharmaceuticals ($256 million); the Eighth Circuit rejected California's emergency motion to block the sale; TTAM committed to maintaining existing privacy policies in perpetuity and adding additional consumer protections.
- 8The House Committee on Oversight and Government Reform held a hearing titled 'Securing Americans' Genetic Information: Privacy and National Security Concerns Surrounding 23andMe's Bankruptcy Sale' on June 10, 2025, with witnesses including Anne Wojcicki and interim CEO Joe Selsavage; a bipartisan coalition of 28 attorneys general had argued 23andMe should not be permitted to sell users' biometric data during bankruptcy; the FTC Chairman sent a letter to the acting U.S. Trustee on March 31, 2025, emphasizing any buyer must honor 23andMe's existing privacy commitments.