Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
23andMe

23andMe Vendor Cyber Rating & Cyber Score

23andme.com

23andMe Research Institute is a nonprofit medical research organization that enables people everywhere to access their genetic information, learn about themselves and participate in the world's largest crowdsourced research initiative. The Institute aims to be the world's most significant contributor to scientific advancement, uniting people with the common goal of improving health and deepening our understanding of DNA — the code of life.


23andMe A.I CyberSecurity Scoring

23andMe
Company Information
Website:https://www.23andme.com
Employees number:559
Number of followers:81,337
NAICS:8135
Industry Type:Non-profit Organizations
Homepage:23andme.com
23andMe Risk Score (AI oriented)
Between 0 and 549
logo
23andMeNon-profit Organizations
Updated:
02/06/2026
100/1000
Critical
C
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
23andMe Global Score (TPRM)
xxxx
logo
23andMeNon-profit Organizations
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

23andMe
23andMeCritical
Current Score
100C (CRITICAL)
01000
8 incidents
-118 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
100Before Incident
JUNE 2026
234Before Incident
Breach
01 Jun 202623andMe
23andMe: California Attorney General sues 23andMe for security breach

23andMe Data Breach Impacting 7 Million Users

100After Incident
CRITICAL-134
23A1780359968
23andMe Faces Lawsuit Over 2023 Data Breach Impacting 7 Million Users The California Attorney General, Rob Bonta, has filed a lawsuit against genetic-testing company 23andMe (now operating as Chrome Holding Co.) for its handling of a 2023 data breach that exposed the sensitive information of nearly 7 million users, including over 850,000 Californians. The complaint alleges that 23andMe failed to implement basic security measures, misled customers about the breach’s severity, and violated multiple state laws, including the Genetic Information Privacy Act and the California Consumer Privacy Act. The breach, which occurred over five months, stemmed from a credential-stuffing attack, where hackers exploited weak or reused passwords from other breaches including a prior incident at genealogy site MyHeritage, a 23andMe partner. Once inside, attackers exploited a coding flaw in the company’s “DNA Relatives” feature, allowing them to access ancestry reports, family histories, and health-related genetic data. The stolen information was later offered for sale on the dark web, with hackers specifically targeting data belonging to Asian-Pacific Islander and Jewish users amid rising hate crimes. 23andMe initially downplayed the incident, publicly confirming only 14,000 compromised accounts while withholding details about the broader exposure. The California Department of Justice’s investigation found that the company’s security practices “fell below industry standards”, despite its claims of robust protections. The lawsuit also accuses 23andMe of misleading customers by denying a security incident even after hackers revealed exploitable vulnerabilities during ransom negotiations. Founded in 2006, 23andMe was the first direct-to-consumer DNA testing company but faced financial struggles, filing for bankruptcy in 2023. Its assets were later acquired by the 23andMe Research Institute, a nonprofit that has distanced itself from the lawsuit, stating it was not involved in the events leading to the breach. The legal action seeks accountability for what Bonta described as a failure to “meet its obligation under California law to keep [users’] information safe.” The case highlights the risks of inadequate cybersecurity in handling highly sensitive genetic and personal data.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Financial gain, potential targeting of ethnic groups amid rising hate crimes
IMPACT
Data Compromised: Ancestry reports, family histories, health-related genetic dataSystems Affected: 23andMe user accounts, 'DNA Relatives' featureBrand Reputation Impact: Significant, due to lawsuit and misrepresentation of breach severityLegal Liabilities: Lawsuit filed by California Attorney General for violating Genetic Information Privacy Act and California Consumer Privacy ActIdentity Theft Risk: High, due to exposure of sensitive genetic and personal data
DATA BREACH
Type Of Data Compromised: Genetic data, ancestry reports, family histories, health-related informationNumber Of Records Exposed: 7 million usersSensitivity Of Data: High (genetic and personally identifiable information)Data Exfiltration: Yes, data sold on dark webPersonally Identifiable Information: Yes (genetic data, family histories, health information)
MAY 2026
224Before Incident
APRIL 2026
224Before Incident
MARCH 2026
214Before Incident
FEBRUARY 2026
203Before Incident
JANUARY 2026
189Before Incident
DECEMBER 2025
175Before Incident
NOVEMBER 2025
349Before Incident
Breach
28 Nov 202523andMe
23andMe Nets Approval for Bankruptcy Plan With Data Breach Deals

23andMe Data Breach and Bankruptcy Settlement

189After Incident
CRITICAL-160
23A1764346412
Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims. Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims. Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan. Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Financial Loss: $62 million (settlement amount)
DATA BREACH
Type Of Data Compromised: Customer Data (likely including genetic and personally identifiable information)Sensitivity Of Data: High (genetic and personal data)
OCTOBER 2025
343Before Incident
SEPTEMBER 2025
393Before Incident
Breach
25 Sep 202523andMe
23andMe

23andMe Data Breach and Bankruptcy Settlement

333After Incident
CRITICAL-60
23A0702607092625
The genetic testing company 23andMe faced a significant data breach exposing customers' personal and genetic information. The breach led to legal claims from affected users, prompting the company to propose settlements as part of its ongoing Chapter 11 bankruptcy proceedings. The exposed data included sensitive customer details, raising concerns over privacy, identity theft, and potential misuse of genetic information. The breach’s financial and reputational fallout contributed to the company’s restructuring efforts, with a judge reviewing settlement approvals to resolve customer claims. The incident underscores the severe consequences of failing to protect highly personal data in the biotech sector, particularly when such information can have long-term implications for individuals' health, insurance, and security.
INCIDENT DETAILS -
TYPE
Data Breach
DATA BREACH
Personally Identifiable Information (PII)Genetic DataSensitivity Of Data: High
AUGUST 2025
387Before Incident
MARCH 2025
408Before Incident
Breach
24 Mar 202523andMe
23andMe

23andMe Bankruptcy and Data Privacy Concerns

349After Incident
CRITICAL-59
23A000032525
23andMe, a company offering personal genetic testing services, has faced bankruptcy protection while holding a vast collection of sensitive genetic data. Privacy risks are heightened as this data might fall into new hands during a sale process, raising concerns over data protection and potential misuse. Legal frameworks like California’s right to deletion offer some safeguards, yet a national health privacy law in the US is lacking, leaving many customers vulnerable. Customers are advised to download and then request deletion of their personal genetic data to ensure their privacy.
INCIDENT DETAILS -
TYPE
Data Privacy Incident
IMPACT
Sensitive genetic dataPotential misuse of dataLack of national health privacy law
DATA BREACH
Genetic dataHigh
OCTOBER 2023
419Before Incident
Breach
01 Oct 202323andMe
23andMe (Chrome Holding Co.)

23andMe Data Breach (2023)

269After Incident
CRITICAL-150
23A4433044101425
In October 2023, 23andMe suffered a massive data breach exposing the personal and genetic data of nearly 7 million users, including highly sensitive DNA profiles, health records, and personally identifiable information (PII). The breach led to severe consequences for affected individuals, including identity theft, targeted harassment (especially against LGBTQ+ members like Salman Jaberi), mental health deterioration (e.g., Elvira Olguín’s vascular episode and vision loss due to stress), and financial fraud. The company filed for bankruptcy in March 2024, facing over 250,000 claims (many suspected fraudulent) tied to the incident, with settlements proposed at $30M–$50M (US) and $3.25M (Canada)—far below the claimed $51 trillion in damages. Victims reported long-term risks, such as nation-state exploitation of immutable DNA data, while the company struggled to verify legitimate claims. The breach’s unique harm—irreplaceable genetic data—heightened distress, with many users feeling the settlements provided insufficient relief for ongoing damages like privacy protection costs, medical expenses, and emotional trauma.
INCIDENT DETAILS -
TYPE
Data BreachPrivacy Violation
IMPACT
Settlement Fund Us: $30 million to $50 millionSettlement Fund Canada: $3.25 million (CA$4.49 million)Individual Claims: Up to $165 (US health data exposed), $100 (statutory payments for certain states), additional payments for extraordinary lossesCompany Asset Sale: $300 million (June 2024)Total Claims Value: $51 trillion (disputed, includes potential fraudulent claims)Personal InformationGenetic/DNA DataHealth DataFamily NamesCredit Information (linked to identity theft)Bankruptcy filing (March 2024)Reputation damageLegal and regulatory scrutinyCustomer trust erosionConfusion over bankruptcy hearingsFear of identity theftMental health impacts (e.g., Elvira Olguín's vascular episode)Harassment and targeted ads (e.g., Salman Jaberi)Brand Reputation Impact: Severe (linked to immutable genetic data exposure and bankruptcy)Class-action lawsuits (US and Canada)Potential fraudulent claims disputesState privacy law violationsRegulatory fines (pending)Identity Theft Risk: High (reported cases like Salman Jaberi's credit report spikes and targeted scams)
DATA BREACH
Genetic/DNA DataPersonal Identifiable Information (PII)Health DataFamily RelationshipsCredit-Linked DataNumber Of Records Exposed: ~7 millionSensitivity Of Data: Extreme (immutable genetic data, health records, family ties)Data Exfiltration: Confirmed (sold or leaked, suspected dark web activity)NamesEmail AddressesGenetic ProfilesFamily ConnectionsHealth Research Data
JUNE 2023
685Before Incident
Breach
16 Jun 202323andMe
23andMe

23andMe Data Breach (2023)

396After Incident
CRITICAL-289
23A4894348111825
In 2023, 23andMe suffered a major data breach exposing highly sensitive genetic and ancestry data of nearly 7 million users. The compromised information included chromosomal haplogroups, family tree details, and ancestry profiles, with ethically charged consequences—such as curated dark web lists targeting individuals of Jewish and Chinese descent. Initially, the company blamed users for weak passwords, exacerbating public distrust. The fallout led to a costly class-action lawsuit, severe reputational damage, and heightened scrutiny over the company’s data stewardship practices. The breach underscored the risks of mishandling biometric and genetic data, which, unlike financial records, cannot be changed if exposed. The incident also highlighted systemic failures in incident response, transparency, and ethical data management, reinforcing the need for stricter protections around health-related and personally identifiable information (PII).
INCIDENT DETAILS -
TYPE
Data BreachData MismanagementEthical Violation
MOTIVATION
Financial Gain (Dark Web Sales)Targeted Data ExfiltrationEthnic/Ancestral Profiling
IMPACT
Class-Action Lawsuit CostsReputational Damage (Significant)Ancestry InformationChromosomal HaplogroupsFamily Tree UploadsPersonally Identifiable Information (PII)Legal and Regulatory ScrutinyCustomer Trust ErosionHigh Volume (Due to Sensitive Data Exposure)Severe DamageLoss of Consumer TrustClass-Action LawsuitPotential Regulatory FinesHigh (Due to PII and Genetic Data Exposure)
DATA BREACH
Genetic DataAncestry InformationFamily Tree DataPII (Potential)Number Of Records Exposed: 7,000,000Sensitivity Of Data: Extremely High (Genetic and Ethnic Information)Dark Web SalesCurated Lists by AncestryData Encryption: Unknown (Likely Inadequate)User UploadsGenetic ReportsFamily Tree DataNames (Likely)Ancestry DetailsPotential Addresses/Contact Info
Breach
16 Jun 202323andMe
23andMe: 23andMe Bankruptcy Judge to Review Data Breach Deals, Legal Fees

23andMe Data Breach Settlements and Legal Fees Ruling

396After Incident
CRITICAL-289
23A1768948228
23andMe Bankruptcy Judge to Rule on Data Breach Settlements and Legal Fees A U.S. bankruptcy judge overseeing 23andMe’s Chapter 11 case will issue a final decision next week on settlements with victims of a 2023 data breach, along with contested legal fees for attorneys representing the claimants. Judge Brian C. Walsh of the U.S. Bankruptcy Court for the Eastern District of Missouri announced the ruling during a Tuesday hearing, setting the deadline for January 28. The case centers on two key agreements: one involving a class of U.S.-based victims and another tied to the company’s 2025 asset sale out of bankruptcy. While 23andMe has already resolved its financial restructuring, the remaining focus is on compensating data breach claimants and resolving disputes over legal fees. The breach, disclosed in late 2023, exposed sensitive genetic and personal data of millions of users, raising concerns over privacy and cybersecurity risks. The settlements under review aim to address these claims, though the final approval process has faced scrutiny over fairness and transparency. The judge’s upcoming ruling will determine the final terms of compensation and the allocation of legal costs, marking a critical step in resolving the fallout from one of the most significant genetic data breaches to date.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: Sensitive genetic and personal dataBrand Reputation Impact: Raised concerns over privacy and cybersecurity risksLegal Liabilities: Settlements under review for data breach claimsIdentity Theft Risk: High
DATA BREACH
Genetic dataPersonal dataNumber Of Records Exposed: MillionsSensitivity Of Data: HighPersonally Identifiable Information: Yes
APRIL 2023
747Before Incident
Breach
29 Apr 202323andMe
23andMe, Inc.

Data Breach at 23andMe, Inc.

683After Incident
CRITICAL-64
23A328072725
The California Office of the Attorney General reported a data breach involving 23andMe, Inc. on January 21, 2024. The breach occurred on two dates: April 29, 2023, and September 27, 2023. The breach involved the unauthorized access to personal information of customers, including genetic data and other sensitive information. The incident highlights the vulnerability of genetic testing companies to cyber threats and the potential for significant data leaks.
INCIDENT DETAILS -
TYPE
Data Breach

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for 23andMe ?
?
What was 23andMe's A.I Rankiteo Cyber Score in June 2026 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in May 2026 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in April 2026 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in March 2026 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in February 2026 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in January 2026 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in December 2025 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in November 2025 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in October 2025 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in September 2025 ?
?
What was 23andMe's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on 23andMe's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with 23andMe ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view 23andMe's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?