23andMe Paid Hackers $400K While Your DNA Hit Dark Web Markets
Hackers breached 23andMe accounts and exposed genetic data from 6.9 million users who never had weak passwords. The company paid a $400,000 cryptocurrency ransom while publicly downplaying the breach. If…
Hackers breached 23andMe accounts and exposed genetic data from 6.9 million users who never had weak passwords. The company paid a $400,000 cryptocurrency ransom while publicly downplaying the breach.
If you’ve ever wondered whether genetic testing companies actually protect your DNA data, the 23andMe breach answers that question. They don’t. And when hackers came calling, the company chose to pay them rather than protect you.
California is now suing the company’s successor, Chrome Holding Company, alleging violations of genetic privacy laws after 855,000 Californians had their most intimate biological data stolen and marketed by ethnicity.
How 14,000 Weak Passwords Exposed 7 Million People
The breach started small but exploded through a feature most users didn’t understand. Hackers used stolen passwords from other websites to access roughly 14,000 23andMe accounts where users had recycled credentials.
But those compromised accounts became skeleton keys to the DNA Relatives feature, which automatically shared genetic profiles with family connections. Through this social mapping, attackers accessed data from 6.9 million additional users who had strong passwords and proper security measures in place.
The stolen data included:
- Genetic predispositions to diseases and health conditions
- Family trees showing biological relationships
- Ethnicity breakdowns and ancestry information
- Geographic locations of relatives
Your genetic code doesn’t get a password reset. Once this information is stolen, it’s permanently compromised — affecting not just you, but your children and their children.
The Company Paid Ransom While Lying to Users
California Attorney General Rob Bonta filed suit against Chrome Holding Company — the entity that emerged from 23andMe’s bankruptcy — alleging the company failed to secure genetic data and then lied about the scope of the breach while secretly negotiating with attackers.
According to Bonta’s complaint, 23andMe paid a $400,000 cryptocurrency ransom to the hackers while telling users the incident was limited and contained.
“Instead of protecting their customers, 23andMe left them vulnerable to an attack and then lied to consumers about it,” Bonta stated.
The lawsuit alleges violations of California’s Genetic Information Privacy Act, consumer protection laws, and fair business practices regulations.
What makes this breach particularly sinister: Criminals marketed the stolen genetic data specifically targeting Asian American, Pacific Islander, and Jewish users during a period of rising hate crimes against these communities. Bonta called this “disturbing and incredibly dangerous” — genetic information weaponized for potential discrimination.
The targeting wasn’t random. Hackers advertised the data by ethnicity on dark web marketplaces, creating a shopping catalog of genetic profiles sorted by race and religion.
The International Regulatory Pile-On Reveals the Pattern
This isn’t just California’s fight. The UK’s Information Commissioner’s Office fined 23andMe £2.31 million for failing to protect 155,592 British users’ genetic data. Canadian regulators reached similar conclusions about inadequate security measures.
The incentive structure that created this disaster: Genetic testing companies collect the most intimate data possible while marketing themselves as privacy-focused, but their business model depends on data retention and sharing that creates massive breach risks. The more data they keep and connect, the more valuable their platform becomes to pharmaceutical companies and researchers who pay for access.
These international enforcement actions establish that genetic data requires heightened security beyond standard tech industry practices — and 23andMe failed that standard globally.
The company’s bankruptcy and rebrand as Chrome Holding Company won’t shield it from legal consequences. But it does create new uncertainty: Users struggling to delete their accounts now face the reality that their genetic information may become part of a corporate asset sale to the highest bidder.
When Your DNA Becomes a Commodity
The 23andMe breach exposes fundamental flaws in how genetic testing companies handle the most sensitive data imaginable. Unlike credit card numbers or social security digits, genetic information cannot be changed when compromised. It reveals not just your health predispositions, but those of your relatives who never consented to testing.
The breach demonstrates how interconnected genetic databases create exponential privacy risks. When hackers accessed those initial 14,000 accounts, they didn’t just steal data from careless password users — they gained access to family networks spanning millions of people who had followed proper security practices.
This cascading vulnerability is unique to genetic data. Traditional data breaches affect individual accounts, but genetic breaches can expose entire family trees through biological connections that users cannot sever or modify.
The ethnic targeting of stolen data adds another disturbing dimension. By marketing genetic profiles based on ancestry, criminals created tools for potential discrimination that could affect employment, insurance, housing, and personal safety. This weaponization of genetic information represents a new category of hate crime enabled by corporate negligence.
What You Can Do Right Now
If you’re a 23andMe user affected by this breach:
- File a complaint with California’s Attorney General under “Consumer Complaints” — select “Privacy/Data Security” as the issue type. Include your account details and any evidence of unauthorized access.
- Find out if you can join a 23andMe class action lawsuit. Multiple law firms are pursuing litigation against the company for the breach.
- Request immediate account deletion through 23andMe’s privacy settings, though the company has been slow to process these requests since the bankruptcy filing.
- Monitor your credit and health insurance for signs that your genetic predisposition data is being used against you — some insurers have been caught using genetic information despite legal prohibitions.
- Report identity theft or discrimination based on genetic information to the Federal Trade Commission.
For genetic privacy protection going forward: California’s Genetic Information Privacy Act gives you specific rights to know what genetic data companies collect, how they use it, and who they share it with. You can demand this information annually.
Consider the permanent nature of genetic data before submitting to any testing company. Unlike other personal information, genetic data cannot be changed or updated when compromised. The privacy risks extend to your children and relatives who never consented to testing.
If 23andMe exposed your genetic data to hackers, tell us what happened.
Written by: Companies Behaving BadlyThe team behind it all.
Been harmed by corporate negligence? Our legal partners can help you understand your rights and pursue justice.
