Beginning April 29, 2023, a threat actor using the alias ‘Golem’ conducted credential stuffing against 23andMe’s login portal over five months, gaining access to ~18,000 customer accounts directly. Due to 23andMe’s DNA Relatives and Family Tree social features, the breach cascaded to expose data on approximately 5.5 million DNA Relatives users and 1.4 million Family Tree profile users — totalling ~7 million customers globally (including ~320k in Canada, ~155k in UK). Exposed data included highly sensitive genetic ancestry, health predispositions, ethnicity, and relatives’ information. 23andMe did not enforce MFA, which was optional. SEC Form 8-K filed. UK ICO fined 23andMe £2.31M in 2025. Canada and UK conducted joint investigation. 23andMe subsequently went bankrupt (filed March 2025). Exemplary case of how social graph features amplify the blast radius of credential stuffing.