Cybersecurity · Saturday, 18 July 2026
01 · Briefing · what happened
23andMe settles its DNA breach for $18m — but six million people can't change the data that leaked
A record settlement over stolen genetic data, a city forcing "nudify" apps off the app stores, and clothes designed to blind facial recognition — a week whose real thread is the data you can never take back. Plus the ordinary, fixable flaws that still need patching now.
A settlement over the one thing you can’t reissue
This week 23andMe agreed to an $18m settlement with a coalition of 42 US state attorneys general over its 2023 data breach, plus new legally binding requirements to protect customer data — and a further $705,000 paid to New York
The breach itself was mundane in how it worked. In October 2023, attackers didn’t break into the company’s network. They used a technique called credential stuffing — taking passwords leaked from other websites and trying them on 23andMe accounts, betting that people reuse the same password everywhere. Enough did, and enough had no second login check (multi-factor authentication), that the attackers walked into over six million accounts and pulled out profile and ancestry information
Here is what makes it different from an ordinary breach. When your password leaks, you change it. When your card number leaks, the bank sends a new one. But the data at the centre of this case was genetic. You cannot reissue your DNA. And because close relatives share much of it, the six million exposed accounts quietly exposed millions of family members who never signed up for anything
A city tries to claw back stolen faces
The same week, San Francisco’s city attorney sent cease-and-desist letters to Apple and Google, demanding they pull 13 “nudify” apps from their app stores
The legal argument is that the app stores are “aiding and abetting” by hosting the tools and taking a cut of the sales
People are now dressing to disappear
The third story is what happens when people decide the only defence is not to be captured at all. As live facial recognition spreads across British public spaces, designers are selling “adversarial clothing” — garments printed with patterns meant to confuse the computer-vision systems that scan crowds
Security experts are honest about the limits: whether the patterns work depends heavily on the specific camera and the lighting, so this is closer to a statement than a shield
The ordinary kind, which you can still fix
Not every risk this week was permanent, and it’s worth ending on the fixable kind, because that’s where an ordinary reader has real power. US authorities also ordered urgent patching of two critical flaws in Fortinet security equipment that attackers were already exploiting
That contrast is the whole point of the week. A software flaw gets patched. A reused password gets changed. But your genome, your face, and your fingerprint don’t get patched or changed — so the only real protection is deciding, before anything leaks, how much of that you hand over in the first place.
If you’ve used a genetic-testing service: you can usually request that the company delete your account and destroy your sample — worth doing if you no longer need it there. Everywhere else: turn on multi-factor authentication and stop reusing passwords, so a leak from one site can’t credential-stuff its way into the rest. And be slow to hand your face, fingerprint, or DNA to any service that doesn’t truly need it — that’s the one decision you can’t take back later.
02 · Lesson · why it matters
The secret you can't reissue
Security quietly assumes every stolen secret can be replaced. Some things leak once and stay leaked for the rest of your life.
The advice that only works on replaceable things
Almost every piece of security advice you’ve ever heard rests on a hidden assumption: that a compromised secret can be swapped for a fresh one. Change your password. Get a new card. Reset your login. The whole discipline is built around recovery — the breach happens, you rotate the secret, the stolen copy goes stale.
It’s good advice, and it works, because most of what we’re asked to protect is replaceable. A password is just a string; pick another. A card number is just an account pointer; the bank issues a new one overnight. The leaked copy becomes worthless the moment you change the original.
Now look at what leaked from 23andMe. Not a password. A genome. And a genome has no replacement. There is no reset button on the molecule you were born with. The advice that has always saved us — change it and move on — simply has nothing to grab onto.
Two kinds of data wearing the same coat
This is the distinction worth carrying out of today’s news, because from the outside the two kinds of data look identical. Both sit in the same database. Both leak the same way. Both show up in the same breach notification email.
But one kind is a pointer — a password, a card, a username — a stand-in you can cancel and reissue. The other is an identity — your face, your fingerprint, your DNA, your voice — the actual thing, not a token for it. When a pointer leaks, you cut the link and it’s over. When an identity leaks, the thing itself is loose in the world, and it will still be yours in forty years.
The nudify apps make the same point from the other direction. A fake nude image built from your face isn’t stealing a password to your likeness — it’s the likeness itself, and once it spreads there’s no revoking it. That’s why San Francisco went after the app stores instead of telling victims to “secure their accounts.” There’s no account to secure. The thing that leaked was the person.
Why the defence has to move earlier
Here’s the uncomfortable part. If a breach of permanent data can’t be undone, then every defence that lives after the breach — the settlement, the patch, the free credit monitoring — arrives too late by design. You cannot protect, after the fact, a thing that cannot be changed.
Which means the only lever that actually works is the one before: not handing it over. The people printing patterns onto clothes to confuse facial-recognition cameras have understood this, even if the clothes barely work. They’ve grasped that once your face is in the database, no promise of “we take security seriously” can un-collect it. So they’re trying to fail to be collected in the first place. It’s the one move that comes early enough to matter.
Who’s inside this, beyond the six million
It’s tempting to file this as a problem for 23andMe’s customers. But the shape of permanent data refuses to stay contained. Your DNA is shared with your parents, your siblings, your children. Six million people handed over samples; millions more who never clicked “agree” were exposed through them, because the data was never really only theirs to give. A cousin’s decision put a piece of you in a database you’ve never heard of.
And the arrangement underneath looks like ordinary convenience — spit in a tube, learn your ancestry, help science. It genuinely offers those things. It also quietly builds a permanent, shared, unchangeable record that outlives the company that collected it, gets fought over in bankruptcy court, and can be breached by nothing more sophisticated than someone reusing a password. Both of those are true at once, and which one you saw depended on whether anyone drew the second picture for you.
What’s left to hold
None of this is a reason for dread, and it isn’t advice to trust nothing. It’s a smaller, sturdier habit of mind: before you hand something over, ask one question — can I take this back if it leaks?
For a password, a card, an email, the answer is yes, and you can be relaxed about it because recovery is real. For your face, your fingerprint, your genome, the answer is no, and that single fact should make you a little slower, a little stingier, a little more willing to click “no thanks.” Not because the service is sinister — usually it isn’t — but because you, and the relatives who never got a vote, will be living with that data long after everyone who promised to guard it has moved on. Seeing which kind of secret you’re being asked for is most of the protection you’ll ever get.
03 · Lab · your turn
What Can You Take Back?
Rehearse sorting the data you hand over into what a breach can undo and what stays leaked for life.
04 · Hope · carry this
The same week showed the guardrails catching up: 42 states forced real, binding protections onto the data a bankrupt company left behind, a city pushed the app stores to stop profiting from stolen faces, and ordinary people found small ways to say no — proof that we are slowly learning to defend the things about ourselves we can never replace.
More from Cybersecurity