23andMe Faces Lawsuit Over 2023 Data Breach Impacting 7 Million Users
The California Attorney General, Rob Bonta, has filed a lawsuit against genetic-testing company 23andMe (now operating as Chrome Holding Co.) for its handling of a 2023 data breach that exposed the sensitive information of nearly 7 million users, including over 850,000 Californians. The complaint alleges that 23andMe failed to implement basic security measures, misled customers about the breach’s severity, and violated multiple state laws, including the Genetic Information Privacy Act and the California Consumer Privacy Act.
The breach, which occurred over five months, stemmed from a credential-stuffing attack, where hackers exploited weak or reused passwords from other breaches including a prior incident at genealogy site MyHeritage, a 23andMe partner. Once inside, attackers exploited a coding flaw in the company’s “DNA Relatives” feature, allowing them to access ancestry reports, family histories, and health-related genetic data. The stolen information was later offered for sale on the dark web, with hackers specifically targeting data belonging to Asian-Pacific Islander and Jewish users amid rising hate crimes.
23andMe initially downplayed the incident, publicly confirming only 14,000 compromised accounts while withholding details about the broader exposure. The California Department of Justice’s investigation found that the company’s security practices “fell below industry standards”, despite its claims of robust protections. The lawsuit also accuses 23andMe of misleading customers by denying a security incident even after hackers revealed exploitable vulnerabilities during ransom negotiations.
Founded in 2006, 23andMe was the first direct-to-consumer DNA testing company but faced financial struggles, filing for bankruptcy in 2023. Its assets were later acquired by the 23andMe Research Institute, a nonprofit that has distanced itself from the lawsuit, stating it was not involved in the events leading to the breach.
The legal action seeks accountability for what Bonta described as a failure to “meet its obligation under California law to keep [users’] information safe.” The case highlights the risks of inadequate cybersecurity in handling highly sensitive genetic and personal data.
23andMe TPRM report: https://www.rankiteo.com/company/23andme
"id": "23a1780359968",
"linkid": "23andme",
"type": "Breach",
"date": "6/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7 million users (over 850,000 '
'Californians)',
'industry': 'Biotechnology, Direct-to-consumer genetic '
'testing',
'location': 'California, USA',
'name': '23andMe (Chrome Holding Co.)',
'type': 'Genetic-testing company'}],
'attack_vector': 'Credential Stuffing',
'customer_advisories': 'Misleading communications about breach severity',
'data_breach': {'data_exfiltration': 'Yes, data sold on dark web',
'number_of_records_exposed': '7 million users',
'personally_identifiable_information': 'Yes (genetic data, '
'family histories, '
'health information)',
'sensitivity_of_data': 'High (genetic and personally '
'identifiable information)',
'type_of_data_compromised': 'Genetic data, ancestry reports, '
'family histories, health-related '
'information'},
'date_publicly_disclosed': '2023',
'description': 'The California Attorney General filed a lawsuit against '
'23andMe for its handling of a 2023 data breach that exposed '
'the sensitive information of nearly 7 million users, '
'including over 850,000 Californians. The breach stemmed from '
'a credential-stuffing attack exploiting weak or reused '
"passwords and a coding flaw in the 'DNA Relatives' feature. "
'The stolen data was later sold on the dark web, targeting '
'specific ethnic groups.',
'impact': {'brand_reputation_impact': 'Significant, due to lawsuit and '
'misrepresentation of breach severity',
'data_compromised': 'Ancestry reports, family histories, '
'health-related genetic data',
'identity_theft_risk': 'High, due to exposure of sensitive genetic '
'and personal data',
'legal_liabilities': 'Lawsuit filed by California Attorney General '
'for violating Genetic Information Privacy '
'Act and California Consumer Privacy Act',
'systems_affected': "23andMe user accounts, 'DNA Relatives' "
'feature'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'Credential stuffing from prior '
'breaches (e.g., MyHeritage)',
'high_value_targets': 'Asian-Pacific Islander and '
'Jewish users'},
'investigation_status': 'Ongoing (lawsuit filed)',
'motivation': 'Financial gain, potential targeting of ethnic groups amid '
'rising hate crimes',
'post_incident_analysis': {'root_causes': 'Inadequate security measures, '
'weak/reused passwords, coding flaw '
"in 'DNA Relatives' feature, "
'failure to meet industry '
'standards'},
'references': [{'source': 'California Attorney General'}],
'regulatory_compliance': {'legal_actions': 'Lawsuit filed by California '
'Attorney General',
'regulations_violated': ['Genetic Information '
'Privacy Act',
'California Consumer '
'Privacy Act']},
'response': {'communication_strategy': 'Initially downplayed the breach, '
'publicly confirmed only 14,000 '
'compromised accounts'},
'title': '23andMe Data Breach Impacting 7 Million Users',
'type': 'Data Breach',
'vulnerability_exploited': "Weak/reused passwords, coding flaw in 'DNA "
"Relatives' feature"}