23andMe Confirms Credential-Stuffing Attack Exposed 6.9 Million Users

Genetic testing company 23andMe confirmed in an SEC filing that attackers used credential stuffing — automated login attempts with passwords stolen from other breaches — to access approximately 14,000 customer accounts.

The compromised accounts had not enabled two-factor authentication. From those initial intrusions, the attackers used the optional DNA Relatives feature to scrape profile information for an additional 6.9 million users, including names, birth years, relationship labels, and self-reported ethnicity.

The stolen data first surfaced on a dark-web forum in October, with the seller offering targeted lists of "Ashkenazi Jewish" and "Chinese" users — raising alarm among privacy advocates who warned the data could be exploited for harassment or targeted scams.

"The DNA Relatives design choice is at the heart of this," said Andrea Downing, founder of the patient-advocacy group Light Collective. "A breach of 14,000 accounts cascaded into exposure of nearly seven million people because of the social-network-style feature on top of the genetic data."

23andMe has since required all customers to reset their passwords and enable two-step verification. The company faces multiple class-action lawsuits and has updated its Terms of Service to require disputes to go through arbitration — a change that drew criticism from consumer advocates.