Breach taxonomy
Summary
23andMe disclosed via Reg FD (Item 7.01) on October 10, 2023 that a threat actor accessed customer profile information shared via the DNA Relatives feature on 23andMe.com. The company believes the actor used credentials reused from other sites that had been previously compromised (credential stuffing) — 23andMe states it has no indication that its own systems suffered a breach or that 23andMe was the source of the credentials. The company activated its IRP, retained third-party forensic experts, and is cooperating with federal law enforcement. Filing did not provide a specific incident date; defaulted to first of October 2023 per workflow rule.
Tagging rationale
ThreatUnknown
Filing uses 'threat actor' generically without attributing to any specific category (cyber-criminals, nation-state, insider, etc.); per taxonomy guide, do not infer actor type from method → UNKNOWN.