nearly 7 million customers
The genetic testing company 23andMe has reached an $18 million bankruptcy settlement with a coalition of 43 state attorneys general, led by Pennsylvania and Oregon. The settlement addresses the company's security failures that led to a major data breach in 2023. Attackers used a credential stuffing technique to compromise user accounts, ultimately exposing the sensitive genetic and personal data of nearly seven million customers. The investigation found that 23andMe's lack of basic security controls, like mandatory multi-factor authentication (MFA), directly contributed to the breach's success.
The data breach, first identified by 23andMe in October 2023, was not a direct hack of its servers. Instead, attackers used lists of usernames and passwords stolen from other, unrelated data breaches and systematically tried them against 23andMe accounts. This credential stuffing attack was successful because many users had reused passwords across different services. Once inside an initial set of accounts, attackers were able to pivot and access even more data through a feature that allowed users to connect with relatives. The stolen data, including genetic ancestry information, was later offered for sale on the dark web.
The primary attack vector was T1110.003 - Brute Force: Credential Stuffing. This technique automates the process of testing large volumes of stolen credentials against a target website. The success of this attack highlights several security deficiencies at 23andMe at the time:
The breach had a severe impact on nearly 7 million customers, including almost 200,000 in Pennsylvania alone. The exposed data is highly sensitive and immutable; unlike a password, genetic information cannot be changed. This puts affected individuals at lifelong risk of being targeted based on their genetic data, health predispositions, and family connections. For 23andMe, the incident led to significant financial distress, culminating in bankruptcy proceedings where its consumer data was sold to the TTAM Research Institute.
No specific Indicators of Compromise (IOCs) were mentioned in the source articles.
To detect credential stuffing attacks, organizations should monitor for:
The most effective control against credential stuffing. Requiring a second factor prevents access even if the password is correct.
Implementing checks against known breached passwords prevents users from choosing credentials that are already compromised and likely to be used in stuffing attacks.
While this is a server-side attack, the principle applies to service-side behavioral analytics, such as detecting high rates of login failures (bot detection).
23andMe discovers the data breach resulting from credential stuffing attacks.
An $18 million bankruptcy settlement with 43 states is announced.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.