Incident
23andMe Credential Stuffing: 6.9M Records via Genetic-Relative Graph
Attackers credential-stuffed about 14,000 23andMe accounts. Through the platform's DNA-Relatives feature, those compromised accounts pivoted into the profile data of 6.9 million additional users. The blast radius came from a feature, not from the IdP.
Key Finding
Authentication failure at one account can become a relational-data breach across millions when the application graph exposes identity information beyond the authenticated user.
In October 2023, 23andMe confirmed an incident in which attackers used credential stuffing — passwords from prior unrelated breaches — to compromise approximately 14,000 customer accounts (about 0.1% of the customer base). The architectural consequence was disproportionate: those compromised accounts had the DNA-Relatives feature enabled, which surfaced identifying data about genetic relatives. The total reach of the breach was 6.9 million users.
23andMe had not required MFA for customer accounts at the time. Its post-incident response included MFA prompts, password resets, and a settled class-action. From an identity-architecture standpoint the more interesting lesson is about scope: the failure was not the 14,000 password-protected accounts; the failure was the data-graph design that allowed those 14,000 accounts to expose the records of 6.9 million.
For CIAM specifically the lesson is that authentication strength has to be designed against the data the authenticated session can reach — including the data about other identities visible through the application graph. A graph-exposed CIAM that authenticates each user weakly is, in practice, a graph-exposed CIAM that authenticates the whole population weakly.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation