← All breach guides

23andMe data breach — exercise your GDPR rights

In 2023, 23andMe suffered a credential-stuffing attack that exposed the genetic ancestry and health data of approximately 6.9 million users — including highly sensitive inferred ethnicity and health predisposition information. Genetic data is special category data under Article 9 GDPR, attracting the highest level of legal protection. 23andMe filed for bankruptcy in March 2025, making it urgent to exercise your rights before your data changes hands.

⚖️ Regulatory action: 23andMe was fined £2.31 million by the UK ICO in June 2025 for failing to implement appropriate security measures to protect customers' genetic data under Article 32 GDPR.

What happened

2023 6.9 million users affected

Attackers used credentials from earlier, unrelated breaches to access approximately 14,000 23andMe accounts via credential stuffing. By exploiting the 'DNA Relatives' feature, they harvested the profile data of a further 6.9 million connected users. The stolen data included predicted ethnicity, health predispositions, and relative match information. The breach disproportionately targeted Ashkenazi Jewish and ethnically Chinese users.

Data exposed:
  • Genetic ancestry composition (predicted ethnicity)
  • Health predisposition reports
  • Wellness and trait reports
  • DNA relative matches and family tree data
  • Full names
  • Dates of birth
  • Sex at birth
  • Profile photos
  • Locations

What you can do

Genetic data is the most sensitive personal information under GDPR — it is immutable, uniquely identifies you, and reveals information about your relatives without their consent. With 23andMe having filed for bankruptcy and been acquired in 2025, exercising your right to erasure now is especially important to prevent your genetic data being used for purposes you never consented to.

You have two key rights under GDPR:

Note: 23andMe was acquired by TTAM Research Institute in June 2025 following bankruptcy. GDPR obligations transfer with the data. Submit requests via 23andMe's privacy portal; if unresolved, escalate to your national data protection authority. Privacy portal ↗

Generate your access request

This letter is pre-addressed to 23andMe, Inc., the official EU data controller for 23andMe.

To: 23andMe, Inc.
349 Oyster Point Blvd, South San Francisco, CA 94080, USA

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: