Peter Rohel (c)
This has been going on since the big credential-stuffing hack at 23 & Me that was reported last October.
Because of the relatively weak login procedures at 23 & Me (no two-factor authentication; use of e-mail as login), one or more bad actors were able to gain access to at least 14,000 and possibly many more accounts by guessing the password and login, and once they gained access, they were able to download the raw DNA data as well as scrape all the other information (family tree, location, matches, matching segments, etc.), thereby also gaining information on their relatives. According to news reports, this information was targeted especially at people of Jewish and of Chinese descent, with information on Jewish people sold on to Iran. For more details, see these posts at Roberta Estes's Genetic Genealogy blog: https://dna-explained.com/2023/10/29/23andme-dna-relatives-connecti... and https://dna-explained.com/2023/12/21/whats-changed-autosomal-dna-ve...
In the wake of the report of this breach, 23 & Me has of course been hit with class action lawsuits, so any further moves by the company are likely to be governed by their lawyers.
At present, there is no way to verify whether your raw DNA data file was actually downloaded by you, or by the bad actor. That is why no other company will at present accept an upload of a raw DNA file from 23 & Me - because is it really you uploading that file, or the bad actor posing as you and trying to fish out more people of Jewish or Chinese descent?
Until 23 & Me can introduce protocols to assure other vendors that a download was done only by the true owner of that particular account, this is not likely to change.