HydraWatch All articles
Account Security & Privacy

Permanent Damage: Why a Breach at Your DNA Testing Company Is Unlike Any Hack You Have Ever Survived

HydraWatch
Permanent Damage: Why a Breach at Your DNA Testing Company Is Unlike Any Hack You Have Ever Survived

Every cybersecurity professional will tell you the same thing about credential theft: change your password, enable two-factor authentication, and move on. The damage is painful, but it is recoverable. Genetic data operates under an entirely different set of rules. You cannot rotate your genome the way you rotate a compromised API key. You cannot issue yourself a new set of chromosomes after a breach notification email arrives in your inbox. And yet millions of Americans have voluntarily submitted their most permanent personal information — their raw DNA — to commercial platforms whose security postures have, in several documented cases, fallen short of what that data demands.

The consumer genomics industry grew rapidly over the past decade, fueled by affordable at-home kits and the compelling promise of ancestral discovery. Companies such as 23andMe and AncestryDNA built databases containing the genetic profiles of tens of millions of users. The business model depends on scale. The security risk grows with it.

What Happened at 23andMe — and Why It Matters

In late 2023, 23andMe disclosed a credential-stuffing attack that ultimately affected approximately 6.9 million users. The initial intrusion exploited a relatively mundane vulnerability: users who had reused passwords from previously breached platforms. Attackers authenticated with those recycled credentials and then pivoted through the platform's DNA Relatives feature, which allows users to share profile data with genetic matches. Because that feature was opt-in but widely enabled, a comparatively small number of directly compromised accounts became a lever for harvesting data from millions of connected profiles.

The exposed information included display names, predicted relationships, ancestry composition percentages, and in some cases, raw genotype data files. Threat actors subsequently listed portions of this data on criminal forums, with some listings specifically targeting users of Ashkenazi Jewish and Chinese heritage — a detail that underscored the potential for genetic data to be weaponized along ethnic and demographic lines.

The incident was not the industry's first. Earlier breaches and third-party data-sharing controversies had already drawn regulatory scrutiny, but the 23andMe event marked the clearest public demonstration that genetic platforms represent a high-value target for organized cybercriminals.

Why Genetic Data Is Different From Every Other Data Type

The standard framework for evaluating personal data breach severity considers factors such as financial exposure, identity theft risk, and reputational harm. Genetic data disrupts that framework in several meaningful ways.

It is immutable. A Social Security number can, under extraordinary circumstances, be changed. An email address is trivially replaceable. Your genome is not. Whatever is exposed remains exposed for the entirety of your life and, to a meaningful degree, the lives of your biological relatives — none of whom necessarily consented to your decision to submit a saliva sample.

It is predictive. Raw genotype files contain information about disease predispositions, pharmacogenomic responses, and ancestry markers. In the wrong hands, this data could theoretically be used to discriminate in employment contexts, inform targeted social engineering, or be sold to entities with interests that are not aligned with yours.

It implicates third parties. When your genetic data is exposed, partial profiles of your parents, siblings, and children are exposed alongside it. Familial DNA relationships mean that a breach affecting one individual radiates outward across a biological network.

Legal protections are incomplete. The Genetic Information Nondiscrimination Act, known as GINA, prohibits health insurers and employers from using genetic information in certain discriminatory ways. However, GINA does not cover life insurance, disability insurance, or long-term care insurance — precisely the products where genetic predisposition data could have the most financially consequential impact on an individual consumer.

How Genetic Data Circulates After a Breach

Once raw genomic files or ancestry profiles enter criminal markets, they do not simply disappear. Security researchers monitoring dark web forums have observed genetic data appearing in bundled data sets alongside other personally identifiable information, effectively enriching existing identity profiles that criminals maintain on specific targets.

The most immediate downstream risk for most consumers is not some elaborate genetic discrimination scheme — it is the same identity fraud and targeted phishing that follows any significant breach. When genetic data is paired with name, date of birth, email address, and familial relationship data, the resulting profile is exceptionally detailed. Attackers can craft highly personalized pretexting scenarios, impersonating relatives or fabricating health-related urgencies to extract money or additional credentials from victims.

Longer-term risks are harder to quantify but not negligible. As genetic databases grow and cross-referencing capabilities improve, data exposed today may become significantly more exploitable in five or ten years. Consumers who submitted samples in 2018 and forgot about the account entirely may be carrying a liability they are not aware of.

Questions to Ask Before Submitting a Sample

For Americans considering a consumer DNA test, the following questions represent a reasonable minimum standard of due diligence.

Steps for Those Who Have Already Submitted

If you have an existing account with a consumer genomics platform, several concrete actions can reduce your exposure.

First, log in and audit your privacy settings immediately. Disable data-sharing features you do not actively use. If the platform offers the option to delete your genetic data, consider whether you have extracted the value you sought from the service and whether continued storage is worth the ongoing risk.

Second, download your raw data file if you want a personal copy, store it in an encrypted location, and then delete it from the platform's servers. Most major services offer this option, though the process varies.

Third, change your password to something unique to that account and enable two-factor authentication if the platform supports it. The 23andMe breach was initiated through credential stuffing — a trivially preventable attack vector for users who do not reuse passwords.

Fourth, monitor for breach notifications. Services such as Have I Been Pwned aggregate known breach data and can alert you if your email address appears in newly disclosed data sets associated with genomics platforms.

The Regulatory Gap That Leaves Consumers Exposed

The Federal Trade Commission has taken action against companies for deceptive data practices, and state-level privacy laws — California's CCPA being the most prominent — provide some rights around genetic data. However, the United States lacks a comprehensive federal privacy framework that specifically addresses the unique risks of biometric and genomic data with the rigor those categories demand.

Until that gap is closed, the burden falls disproportionately on individual consumers to evaluate the risk-reward calculus before submitting a sample. The ancestral curiosity that drives millions of Americans toward these services is entirely understandable. So is the desire to connect with biological relatives or understand health predispositions. But those benefits should be weighed against a category of data exposure that, unlike almost every other breach scenario, cannot be undone after the fact.

The password you changed last Tuesday is already forgotten. The genome you submitted three years ago is not going anywhere.

All articles

Related Articles

Logged In Without a Password: The Underground Trade in Stolen Session Cookies That Renders Your Credentials Irrelevant

Logged In Without a Password: The Underground Trade in Stolen Session Cookies That Renders Your Credentials Irrelevant

The Credential Graveyard: How Identity Thieves Mine Obituaries and Exploit the Accounts of the Deceased

The Credential Graveyard: How Identity Thieves Mine Obituaries and Exploit the Accounts of the Deceased

The Second Factor Illusion: How Attackers Are Quietly Defeating the Authentication Layer You Thought Was Protecting You

The Second Factor Illusion: How Attackers Are Quietly Defeating the Authentication Layer You Thought Was Protecting You