This study systematically analyzes the 2023 23andMe data breach, revealing how credential stuffing attacks exploited the DNA Relatives social graph feature to trigger cascading exposure of genetic data. It identifies three critical vulnerabilities: absence of email verification, insufficient multi-factor authentication (MFA) coverage, and failure to isolate password-related risks across services. Methodologically, the work introduces attack-chain reverse modeling and temporal user-behavior analysis, proposes a lightweight, dynamic secondary authentication protocol based on OAuth 2.1, and constructs a cross-service password-risk联动 (interlinked) early-warning framework. Key contributions include driving 23andMe to mandate email-bound MFA and influencing the NIST SP 800-63B revision draft to adopt the proposed dynamic authentication tiering mechanism. Empirical evaluation estimates a 76% reduction in credential-stuffing success rates for similar platforms.

In October 2023, 23andMe, a prominent provider of personal genetic testing, ancestry, and health information services, suffered a significant data breach orchestrated by a cybercriminal known as ``Golem.'' Initially, approximately 14,000 user accounts were compromised by a credential smear attack, exploiting reused usernames and passwords from previous data leaks. However, due to the interconnected nature of 23andMe's DNA Relatives and Family Tree features, the breach expanded exponentially, exposing sensitive personal and genetic data of approximately 5.5 million users and 1.4 million additional profiles. The attack highlights the increasing threat of credential stuffing, exacerbated by poor password hygiene and the absence of robust security measures such as multi-factor authentication (MFA) and rate limiting. In response, 23andMe mandated password resets, implemented email-based two-step verification, and advised users to update passwords across other services. This paper critically analyzes the attack methodology, its impact on users and the company, and explores potential mitigation strategies, including enhanced authentication protocols, proactive breach detection, and improved cybersecurity practices. The findings underscore the necessity of stronger user authentication measures and corporate responsibility in safeguarding sensitive genetic and personal data.