Breach Teardown

Consumer Genomics
2023

What Caused the 23andMe Breach?

Attackers logged in to roughly 14,000 23andMe accounts using passwords reused from other breaches, about 0.1% of customers. The product’s relative-matching features then amplified those footholds into scraped profile data for approximately 6.9 million people. For customer identity programs, this is the case that proves authentication strength and data blast radius cannot be assessed separately.

Scale
~6.9M profiles scraped via ~14,000 accounts
Attack vector
Credential stuffing amplified by data-sharing features
IAM domains implicated
CIAM, CIAM × Data, Security
Domino controls hit
1 of 3

The Incident

What Happened

In October 2023, 23andMe disclosed that threat actors had accessed customer accounts through credential stuffing, replaying username and password pairs exposed in unrelated breaches against customers who had reused them. The company’s investigation put direct account compromises at roughly 14,000, about 0.1% of its customer base.

The scale came from the product itself. The DNA Relatives and Family Tree features let each compromised account view profile information of genetic relatives who had opted in to sharing. Through those features the attackers assembled data on approximately 6.9 million people, and portions were advertised on underground forums as curated lists targeting users by ethnic background, which sharpened the harm well beyond typical PII exposure.

Customer MFA existed but was optional and lightly adopted at the time. 23andMe made two-factor authentication mandatory for all customers that November. The incident drew a joint investigation by the UK Information Commissioner’s Office and Canada’s privacy commissioner, and the ICO ultimately issued a £2.31 million fine.

Attack Chain

How the Attack Compounded

Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.

  1. Credential lists from unrelated breaches are replayed against the customer login endpoint at scale.

    CIAM-01

  2. Accounts with reused passwords fall. MFA is optional and mostly unenrolled, so a password alone suffices.

    CIAM-01

  3. Each compromised account’s DNA Relatives view exposes thousands of relatives’ profiles, multiplying 14,000 accounts into 6.9 million affected people.

    CIAM-DATA-01

  4. Months of systematic scraping across accounts proceeds without behavioral detection intervening.

    SEC-03

Control Mapping

The IAM Controls That Failed

Every failure point below corresponds to a control in the AXIS question bank, the same 3 controls a maturity assessment would have scored before this incident.

AXIS controls that failed in the 23andMe breach, with domain, capability, and how each failed
ControlDomainCapabilityHow it failed here
CIAM-01
Domino
CIAMRegistration & OnboardingCustomer registration and authentication offered no resistance to credential stuffing: no enforced MFA, and no effective compromised-credential screening or bot-pattern defense at the login endpoint of a service holding genetic data.
CIAM-DATA-01CIAM × DataCustomer Access-to-Data Visibility & Impact ControlNo one had quantified what a single compromised account could reach. The relative-matching design gave each login a data blast radius of thousands of other people’s profiles, and mapping that access-to-data impact is the analysis that was missing.
SEC-03SecurityUser Behavioral Analytics (UBA)Fourteen thousand accounts systematically enumerating relative profiles is a distinctive behavioral signature. Analytics tuned to customer-facing scraping patterns, not just workforce logins, would have had months of signal.

The Maturity Lesson

What Would Have Changed the Outcome

The Domino Effect

CIAM-01 (registration and onboarding) is a domino control for this reason: when the customer-facing front door is weak, downstream data protections are moot. The 23andMe case adds a second lesson. The CIAM and Data intersection domain exists because authentication risk has to be priced against what an account can reach, and here one password unlocked a genealogy graph.

The Maturity Level That Mattered

At level 2 or 3 on CIAM-01, customer MFA is available and progressively enforced for sensitive actions, with compromised-password screening, rate limiting, and bot management at the login edge. Any of those collapses the economics of this attack. At level 2 on CIAM-DATA-01, the blast radius of a compromised account is a known, bounded, monitored quantity.

The maturity conversation for consumer platforms should start from the data graph rather than the login box. If one account falls, how many people’s data goes with it? This breach forces every CIAM assessment to ask that.

Related Compliance Frameworks

The controls implicated in this breach carry citations in these frameworks within the AXIS bank:

Sources

About This Analysis

This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at 23andMe. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with 23andMe.

Would Your Program Have Caught This?

The 3 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.