The ‘DNA Relatives’ feature is a key aspect that may have exposed more sensitive data. It identifies relatives by comparing the DNA of users with that of other 23andMe members who participate in the feature. After gaining unauthorized access to a certain number of profiles through credential-stuffing, the threat actor behind this breach appears to have extracted ‘DNA Relatives’ results for those profiles, obtaining significantly more sensitive information. The company stated in a FAQ page that “The number of relatives listed […] grows over time as more people join 23andMe.” For the fiscal year 2023, 23andMe reported that it “genotyped” around 14 million customers.
