PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

23andMe Warns of Hacker Breaking Into User Accounts

The hacker claims to have obtained data from at least 7 million 23andMe users, but the DNA company has no evidence of a breach, suggesting the issue is someone using leaked credentials.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

If you use 23andMe, consider securing your account. It appears a hacker has been breaking into user profiles to steal personal data. 

The company issued a statement about the threat today, days after a mysterious user in a hacking forum claimed to have obtained data from at least 7 million 23andMe users. 

The user shared a link, which allegedly leads to a download for the stolen data. “The CSV file in the link contains the profile list of half of the members of 23andMe,” the user claimed in the post before it was deleted. “These members have technical details such as their origin estimation, phenotype and health information, photos and identification data, raw data, and their last login date to the site.”

Meanwhile, another user in the same forum is also selling access to the 23andMe data. For $100,000, a buyer can obtain access to 100,000 profiles.

23andMe is investigating the situation, but the company denies a breach has occurred. “We do not have any indication at this time that there has been a data security incident within our systems,” a company spokesperson told PCMag. 

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added. 

Recommended by Our Editors

1.9M Rush to Delete 23andMe Data After Bankruptcy: Should You Do the Same?
1.9M Rush to Delete 23andMe Data After Bankruptcy: Should You Do the Same?

That means a hacker has likely been digging through past data breaches —which can contain user email addresses and passwords— to try and break into accounts on 23andMe. 

Although the hacker claims to have obtained data on at least 7 million users, it’s possible much of the data was actually scraped through a profile-viewing feature available to 23andMe members. The company has a function that lets you find “DNA relatives” with other users on the platform. Using the system is optional, but in doing so users create a profile that other members can see, allowing them to view ancestry results, along with photo and birth year, if provided.

Hence, it’s possible the hacker broke through a smaller number of accounts, and then exploited the DNA relatives feature to gain access to a wider range of personal details. For now, 23andMe told PCMag: “We are taking this issue seriously and will continue our investigation to confirm these preliminary results.”

In the meantime, users can consider changing their password or turning on the two-factor authentication for their accounts to prevent potential hijacking.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio