We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

23andMe Data Breach Exposes Data of 6.9 Million Users

23andMe Data Breach Exposes Data of 6.9 Million Users
Keira Waddell Published on 5th December 2023 Former Senior Writer

23andMe has confirmed that hackers gained unauthorized access to the personal information of 6.9 million users. Initially disclosed in early October, the breach impacted 0.1% of the company's customer base or approximately 14,000 individuals. However, further investigation by 23andMe uncovered a much larger scale of impact, affecting nearly half of the reported 14 million total users.

The breach was executed through a credential stuffing attack, a technique where hackers leverage account information obtained from other security breaches to gain access. The attackers targeted users who had opted into 23andMe's DNA Relatives feature, impacting around 5.5 million individuals. This feature enables automatic data sharing, including names, birth years, relationship labels, DNA sharing percentages, ancestry reports, and self-reported locations.

Another group of approximately 1.4 million users who had also opted into DNA Relatives had their Family Tree profile information accessed. This information includes display names, relationship labels, birth years, self-reported locations, and user decisions regarding information sharing.

23andMe did not disclose these specific numbers in its initial breach announcement. The company attributed the security incident to customers reusing passwords, allowing hackers to brute-force accounts using passwords known from other data breaches.

The breach came to light in October when a hacker claimed to have stolen DNA information from 23andMe users and advertised the data on a well-known hacking forum. The hacker provided proof by publishing alleged data of specific user groups, including one million users of Jewish Ashkenazi descent and 100,000 Chinese users, offering the data for sale at prices ranging from $1 to $10 per account. Subsequent advertisements by the same hacker claimed records of an additional four million people.

Further scrutiny by TechCrunch revealed that another hacker on a different forum had advertised stolen 23andMe customer data two months before the widely reported incident. Analysis of the leaked data indicated some overlap with genetic information published online by hobbyists and genealogists, suggesting the authenticity of at least a portion of the compromised data.

23andMe has initiated steps to address the situation, urging affected users to reset passwords and enforcing mandatory two-step verification for enhanced security. The company is also in the process of notifying impacted users as part of its ongoing response to the breach.

About the Author

Keira was a senior writer at vpnMentor. She is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address