In late December 2023, genetic testing company 23andMe experienced a significant data breach [6], compromising the personal information of nearly 7 million users [2].


The breach, which lasted for five months [4] [7], resulted in hackers gaining access to 14,000 user accounts, specifically targeting profiles with Ashkenazi Jewish and Chinese heritage [6]. The stolen data included usernames [5] [6], passwords [1] [3] [4] [6] [7], raw genotype data [5] [6], health predisposition reports [5] [6], and carrier-status reports [5]. Additionally, personal information from up to 5.5 million users who had opted in to connect with genetic relatives was also accessed [4] [5]. The breach was only publicly disclosed after a user posted about the stolen data on a subreddit [5]. In response, 23andMe implemented two-factor authentication and advised users to change their passwords. However, the company faced criticism for downplaying its responsibility for the breach and shifting blame onto customers for not updating their passwords. Changes to the company’s terms of service were met with backlash for potentially hindering legal action by victims. Lawsuits have been filed alleging negligence and invasion of privacy, as experts warn of risks such as identity fraud and blackmail [4]. Financially, 23andMe’s stock value declined to $0.734, down 98% from its peak value of $6 billion [2], raising concerns about potential delisting from Wall Street.


The data breach at 23andMe underscores the importance of implementing mandatory two-factor authentication for all SaaS applications to enhance security and safeguard user data in the genetic testing industry. The incident has had significant impacts on the company’s reputation, financial standing, and potential legal liabilities, highlighting the need for proactive measures to prevent such breaches in the future.