2023-10-10 23andMe Holding Co. Cybersecurity Incident

Page last updated on September 29, 2025

23andMe Holding Co. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-10-10 16:17:56 EDT.

Incident Details

Material: No
Is Breach: Yes
Records Compromised: Unknown
Data Types Impacted: Health data, Genetic data, Unspecified, Ancestry data, Password, Username

Compromised Date: Unknown
Detected Date: Unknown
Disclosure Date: 2023-10-10
Contained Date: Unknown
Recovered Date: Unknown

Attack Goal: Unknown
Attack Tactics¹: TA0006, TA0001, TA0010
Attack Techniques¹: T1078, T1213

Costs: $38.5M - $39.5M

• Non-itemized costs (Indirect): $1M - $2M
• Legal (Indirect): Not Tracked (yet)
• Consulting costs (Indirect): Not Tracked (yet)
• Third-party costs (Indirect): Not Tracked (yet)
• Lawsuits (Indirect): $37.5M

Filings

8-K filed on 2023-10-10

23andMe Holding Co. filed an 8-K at 2023-10-10 16:17:56 EDT
Accession Number: 0001193125-23-253488

Item 7.01 Regulation FD Disclosure.

23andMe Holding Co. ("23andMe," "we," "us," and "our") recently learned that certain profile information, which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature, was accessed from individual 23andMe.com accounts without the account users' authorization (the "incident"). Based on 23andMe's investigation as of the date of this Current Report on Form 8-K, we do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks. While our investigation is ongoing, as of the date of this Current Report on Form 8-K, we believe the threat actor was able to access certain accounts in instances usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available. 23andMe undertook immediate action in accordance with its incident response plan, including taking affirmative security measures to mitigate any potential impact of the incident, working to validate whether data that was accessed was legitimate data from the Website, and determining the full scope of data accessed by unauthorized individuals. 23andMe has retained third-party forensic experts to assist in an investigation of the cause and scope of the incident, and in mitigating and remediating the impact of the incident. 23andMe is fully cooperating with federal law enforcement in relation to this incident. 23andMe is currently working to confirm the scope of data accessed, and is investigating the nature of the personal data in question and any related legal obligations. 23andMe's investigation into these matters is preliminary and on going, and 23andMe is still discerning the implications of the incident. During the course of the investigation, 23andMe may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. At this time, 23andMe is unable to predict the costs and magnitude of those consequences.

8-K/A filed on 2023-12-01

23andMe Holding Co. filed a 8-K/A at 2023-12-01 16:06:04 EST
Accession Number: 0001193125-23-287449

Item 7.01 Regulation FD Disclosure.

On October 10, 2023, 23andMe Holding Co. (the "Company," "23andMe," "we," "us," and "our") filed a Current Report on Form 8-K (the "Original Form 8-K") reporting that it learned that certain user profile information, which a 23andMe user (each, a "user" and collectively, the "users") creates and chooses to share with their genetic relatives in 23andMe's DNA Relatives feature, was accessed and downloaded from individual 23andMe.com (the "23andMe website") user accounts (the "incident") by a threat actor (the "threat actor"). The Company is filing this Amendment No. 1 to the Original Form 8-K (this "Amendment") to provide supplemental information regarding the incident. Except as expressly set forth herein, this Amendment does not amend the Original Form 8-K in any way and does not modify or update any other disclosures contained in the Original Form 8-K. This Amendment supplements the Original Form 8-K and should be read in conjunction with the Original Form 8-K. On October 1, 2023, a threat actor posted online a claim to have 23andMe users' profile information. Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity. Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the "Credential Stuffed Accounts"). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user's genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users' ancestry that such users chose to share when opting in to 23andMe's DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained. 23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users' data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward. As of the filing date of this Amendment, the Company expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023, primarily consisting of technology consulting services, legal fees, and expenses of other third-party advisors. The Company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results. As of the filing date of this Amendment, the Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024. As of the filing date of this Amendment and as a result of the incident, multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. These cases are at an early stage, and the Company cannot predict the outcome. The Company is also assessing its response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies. The full scope of the costs and related impacts of this incident and related litigation, including, without limitation, the availability of insurance to offset some of these costs, cannot be estimated at this time. While the Company believes the investigation into these matters is complete, the Company may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. All information provided in this Amendment is as of the date hereof and 23andMe's undertakes no duty to update this information except as required by applicable law.

8-K filed on 2025-03-24

23andMe Holding Co. filed an 8-K at 2025-03-24 06:23:28 EDT
Accession Number: 0001193125-25-060817

Item 8.01 Other Events.

Settlement Agreements

On March 21, 2025, the Company entered into settlements (the "Settlements") with plaintiffs represented by Potter Handy, LLP in actions filed in the Superior Court of the State of California and arbitration claimants represented by Labaton Keller Sucharow LLP, Levi & Korsinsky LLP, and Milberg Coleman Bryson Phillips Grossman PLLC, relating to the previously disclosed cyber incident reported by the Company on October 10, 2023 (the "Incident").

As of the date of this Current Report on Form 8-K and inclusive of the Settlements as well as proposed settlements previously reported by the Company, the Company has agreed to pay, subject to the satisfaction of certain conditions, an aggregate of $37.5 million to settle claims relating to the Incident brought on behalf of U.S. customers, including those who choose to exercise arbitration rights. The Settlements represent compromise settlements and shall not be construed as an admission of any liability or obligation whatsoever by any party to any other party or any other person or entity.

Company Information