23andMe Data Breach Implications and the Continued Fallout
Nathan E Botts
/ Categories: Security

23andMe Data Breach Implications and the Continued Fallout

What to consider if you shared your DNA data

Genetic profiling company 23andMe is currently investigating a data scraping incident where private user information was stolen from its website. The confirmation came five days after an undisclosed entity advertised the sale of private data of millions of 23andMe users on an online crime forum. The alleged stolen data included details like origin estimation, phenotype, health records, photographs, and other identification data. Speculation arose that the CEO of 23andMe knew about this breach two months prior and had kept it under wraps. However, in response, a representative of the company contested that there's no proof of 'health information' being part of the posted data and currently, these are just unverified claims.

Recent updates have identified further fallout of the 23andMe breach. A spokesperson for 23andMe, Katie Watson, informed TechCrunch that hackers accessed the personal data of approximately 5.5 million customers who use the DNA Relatives feature. This feature allows users to share some of their genetic data with others. The compromised data includes names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations.

Additionally, another group of about 1.4 million people who opted into DNA Relatives had their Family Tree profile information accessed. This includes display names, relationship labels, birth years, self-reported locations, and information on whether they chose to share their data. 23andMe had declared part of its email as "on background," meaning both parties must agree to the terms in advance. TechCrunch published the reply as they were not given an opportunity to reject these terms.

The breach was attributed to data scraping, a method where attackers systematically extract smaller bits of information available to individual users, ultimately compiling large volumes of data. The attackers had unauthorized access to specific 23andMe accounts, which had the DNA relative feature activated. This feature lets users find potential relatives by viewing the basic profile details of others who have also opted into the feature. Officials from 23andMe emphasized that there isn’t any evidence suggesting a direct breach in their security systems. Instead, they suspect the login credentials might have been gathered from data leaks from other platforms where users reused their passwords. It was highlighted that the attackers have, in all likelihood, violated the company’s terms of service. Reports have emerged claiming that the data dump consists of 13 million pieces of information, with specifics regarding the nature and number of affected users still undisclosed. However, notable mentions include a leaked database of 1 million users of Ashkenazi descent and another 300,000 users of Chinese descent, all of whom had activated the DNA relative feature.

Recent events highlight the inherent risks associated with storing genetic data online. In 2018, another genetic data company, MyHeritage, faced a breach where over 92 million users' email addresses and passwords were compromised. The same year, officials in California utilized a different genealogy site, GEDMatch, to locate a suspect related to murders that had taken place 40 years prior. The suspect was identified not through his DNA but a relative's who had submitted a sample to GEDMatch. Storing genetic information online offers benefits like tracing lineage and finding relatives, but it also poses significant privacy threats. Even with strong passwords and two-factor authentication, as advocated by 23andMe, users' data remains vulnerable. The only foolproof way to safeguard it from online theft is to avoid online storage altogether.

SOAP Notes on what to consider about the 23andMe breach: Subjective, Objective, Assessment, and Plan

Subjective (Patient's feelings, history, complaints, etc.):

  • Concerns about the safety and security of storing genetic information online.
  • Anecdotal mentions of past breaches affecting other users.


Objective (Factual, measurable data):

  • 23andMe confirmed a data scraping incident involving private user data.
  • Unknown entity advertised the sale of millions of 23andMe user data.
  • Data purportedly includes origin estimation, phenotype, health records, photos, and identification.
  • Attackers gained unauthorized access using the DNA relative feature.
  • There are claims of around 13 million pieces of data being stolen.
  • In 2018, MyHeritage reported a breach affecting 92 million users.
  • Law enforcement officials have previously used genealogy sites for investigations.


Assessment (Professional's judgment based on the above two):

  • DNA testing platforms, while beneficial for tracing lineage and identifying relatives, carry inherent risks regarding user data privacy.
  • Even with advanced security features, such as strong passwords and two-factor authentication, vulnerabilities still exist.
  • External breaches (as seen in other online platforms where users recycle passwords) can indirectly compromise security in DNA testing platforms.


Plan (Recommendations or future plans):

  • Users should exercise caution when deciding to store genetic information online.
  • Always use unique, strong passwords for each online platform and avoid reusing passwords across platforms.
  • Frequently review and update security settings on DNA testing platforms.
  • Remain informed and periodically check the privacy policies and terms of service of these companies.
  • Consider the benefits against potential risks before opting into additional features like the DNA relative feature.
  • If possible, avoid online storage of critical genetic information altogether.



Previous Article What could someone do with your DNA data?
Next Article Navigating the Complexities of HIPAA and Personal Health Data Security
1337 Rate this article:
2Upvote 0Downvote
Please login or register to post comments.
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Any trade names used are information and details given for the convenience of users and do not constitute an endorsement from Health eConsultation.
Use this site at your own risk, and do not use the information to make medical or legal decisions without first seeking guidance from a medical or legal professional.
Plain and simple, ads are used to help pay for the cost of the server and resources required to serve Health eConsultation members and provide an objective resource of health information and health education. Subscribers of Health eConsultation can access the site without having to view ads.
We are passionate about the therapeutic benefits that can be derived from appropriately applied health education .
More informed patients are healthier and less costly to provide care to.
We seek to give consumers and patients a voice, because in the end we are them.
Evidence based practices is what nurtures a thriving health system.


Health eConsultation members believe that health improvement is about patient knowledge, motivation and opportunity to act in concert with healthcare professionals to improve their condition.
Our primary purpose is to build a community around unbiased Health IT education so that people are able to focus on the information they need without having to navigate the vast amount of information that is available on the web.
Health eConsultation seeks to leverage responsible, engaging and, hopefully, motivating education, and information resources. The idea is not to scrape the content of other sites, but to investigate, synthesize, and report in order to create an evidence-base founded on increased rigor and research.
Health eConsultation educational material and website information are provided primarily through free resources, although some sites mentioned might require further registration and payment for particular membership or services.
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Use this site at your own risk, and do not use the information to make medical decisions without first seeking guidance from a medical professonal.
By registering with Health eConsultation you can participate in comments, ratings, and bookmarking. You can also keep track of the time that you spend learning about certain topics for your own records or to share whith health professionals you are working with.