A credential-stuffing attack is a technique where compromised user information, including usernames and passwords from one organization, is obtained by hackers and then reused in attempts to access another organization’s systems—in this case, 23andMe. It’s important to note that this does not appear to be a breach of 23andMe’s internal systems but rather unauthorized access to individual accounts. The attackers behind this incident managed to obtain sensitive information from the compromised accounts, including genetic testing results, photos, full names, and geographical locations, among other data.
