PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

23andMe Notifies More Users About Breach Involving 'DNA Relatives' Feature

A new email suggests the company has uncovered more accounts caught up in a hacker's effort to scrape data from the DNA testing service.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Photo by Smith Collection/Gado/Getty Images)

In a new batch of emails, 23andMe is notifying users that their information was exposed to a hacker scraping data from the DNA testing service. 

Several users reported receiving the email as the company continues to investigate how a hacker abused 23andMe’s “DNA relatives” feature to collect data from potentially millions of users. 

"After further review, we have identified your DNA Relatives profile as one that was impacted in this incident,” the company writes. “Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives.”

The email suggests 23andMe has been uncovering more customer profiles ensnared in the breach. This occurs a week after a mysterious user in a hacking forum named “Golem” allegedly published records on 4 million users. On Oct. 3, a seperate user in the same hacking forum claimed to have stolen data from 7 million users.

23andMe didn’t immediately respond to a request for comment. But last week, the company told PCMag it was reviewing the data Golem allegedly leaked on the hacking forum. “Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information,” it said at the time. 

Recommended by Our Editors

1.9M Rush to Delete 23andMe Data After Bankruptcy: Should You Do the Same?
1.9M Rush to Delete 23andMe Data After Bankruptcy: Should You Do the Same?

The breach initially involved a hacker merely breaking into select users accounts. According to 23andMe, the hacker likely bought login credentials that were stolen in another breach and pluggied them into the DNA testing website in the hopes that people used the same password across multiple accounts. (You should stop doing that.)

Normally, such hijackings only affect users who had their accounts breached. But in this case, it looks like the hacker was able to access a wide array of customer-profile data through 23andMe’s DNA Relatives feature, which lets members find and see the profiles of people with whom they share genetic material.

Using the DNA Relatives feature is optional, but those who do create a profile that other members can see, allowing them to view ancestry results, along with photo, birth year, location, ancestors' birth locations and family tree, if provided. 23andMe has since “temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.”

In the meantime, the data scraping has been frustrating users who say they had strong unique passwords for 23andMe, but still had their information stolen. In response, a growing number of consumers have filed class-action lawsuits against the DNA testing company, faulting it for failing to stop the breach and demanding it pay damages. 

However, 23andMe previously told PCMag: “We have since notified customers and taken additional security measures, including requiring all accounts to go through a password reset and advising customers to enable multi-factor authentication. We are working with outside forensic experts as part of our ongoing investigation, as well as with federal law enforcement.”

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio