Full Report
The ICO said over 150,000 U.K. residents had data stolen in the breach.
Analysis Summary
# Incident Report: 23andMe 2023 Data Breach and Subsequent Regulatory Fine
## Executive Summary
In 2023, 23andMe suffered a major data breach affecting over 6.9 million users globally, stemming from attackers exploiting weak authentication practices. The U.K. Information Commissioner's Office (ICO) subsequently fined the company £2.31 million (approx. $3.1M) for failing to adequately protect U.K. residents' personal and genetic data. The primary vulnerability exploited was the lack of mandatory multi-factor authentication (MFA) and insufficient steps to secure raw genetic data downloads.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the attack spanned "over a months-long campaign" resulting in the breach being made public/known in late 2023.
- **Incident Date:** 2023 (duration of the attack campaign).
- **Affected Organization:** 23andMe
- **Sector:** Genetic Testing / Biotechnology
- **Geography:** Global impact, specifically noted impact on over 155,000 U.K. residents.
## Timeline of Events
### Initial Access
- **Date/Time:** Over a months-long campaign throughout 2023.
- **Vector:** Stolen credentials, likely gained via credential stuffing or previous leaks (implied by "accessing thousands of accounts using stolen credentials").
- **Details:** Attackers gained access by exploiting the fact that 23andMe did not require Multi-Factor Authentication (MFA) for accessing accounts.
### Lateral Movement
- **Details:** The article focuses on account takeover leading to data extraction rather than deep internal network lateral movement. Access allowed the download of raw genetic data.
### Data Exfiltration/Impact
- **Details:** Private data on more than 6.9 million users was stolen. Specific concern was the accessibility of raw genetic data due to missing verification steps upon user request. Over 155,000 U.K. residents were impacted.
### Detection & Response
- **How it was discovered:** Not detailed in the source, but publicly acknowledged in late 2023.
- **Response actions taken:** 23andMe rolled out mandatory multi-factor authentication (MFA) for all accounts by November 2023. The company also filed for bankruptcy protection in March 2025.
## Attack Methodology
- **Initial Access:** Credential stuffing/Account takeover facilitated by the absence of mandatory MFA.
- **Persistence:** Not explicitly detailed, but maintaining access was secured long enough for a months-long campaign.
- **Privilege Escalation:** Not detailed, but attackers bypassed controls to access sensitive raw genetic data.
- **Defense Evasion:** Exploitation of weak authentication practices served as a primary evasion method.
- **Credential Access:** Use of previously "stolen credentials."
- **Discovery:** N/A (Attacker internal process).
- **Lateral Movement:** N/A (Focus on accessing user data stores).
- **Collection:** Harvesting of personal and genetic data from the accounts accessed.
- **Exfiltration:** Transfer of stolen data sets.
- **Impact:** Data exposure and subsequent regulatory fine.
## Impact Assessment
- **Financial:** £2.31 million fine levied by the ICO against the company. The company also filed for bankruptcy protection later in March 2025.
- **Data Breach:** Personal and genetic data belonging to over 6.9 million users globally.
- **Operational:** Disruption leading to regulatory action and contributing factor to the company's eventual bankruptcy filing.
- **Reputational:** Significant negative impact, culminating in regulatory penalties.
## Indicators of Compromise
*Note: Specific IoCs are not provided in the summary, only the vulnerability exploited.*
- **Network indicators:** (Not provided)
- **File indicators:** (Not provided)
- **Behavioral indicators:** Mass account login activity using known credentials; unusually high volumes of raw data download requests per user account.
## Response Actions
- **Containment measures:** Implied closure/suspension of compromised accounts.
- **Eradication steps:** N/A (As reported by the source).
- **Recovery actions:** Implementation of mandatory multi-factor authentication (MFA) for all accounts. The ICO remains in contact with the company’s trustee following bankruptcy proceedings.
## Lessons Learned
- **Key takeaways:** Failure to enforce mandatory multi-factor authentication (MFA) creates a critical, exploitable vulnerability, especially when dealing with high-value data like genetic information.
- **What could have been done better:** Implementing MFA by default and establishing stronger verification barriers specifically for accessing sensitive assets like raw genetic data.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately implement mandatory Multi-Factor Authentication (MFA) across all user accounts.
2. Enforce additional authentication steps or "step-up verification" (e.g., secondary password, MFA prompt) specifically before allowing the download of highly sensitive data like raw genetic profiles.
3. Regularly audit credential management practices to ensure user secrets are not being exposed or inadequately protected.