Back

23andMe Faces Legal Action Over 2023 Data Breach Affecting 7 Million Users

Severity: High (Score: 68.0)

Sources: Itnews.Au, Myjournalcourier, news.bloomberglaw.com, Abcnews, News.Bgov

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: data, security, examiner, states, california, over, breach

Severity indicators: breach

Summary

In 2023, 23andMe, now Chrome Holding Co., suffered a significant data breach exposing the personal information of nearly 7 million users, including genetic data. The breach, which lasted five months, was attributed to reused credentials from previous data leaks. California Attorney General Rob Bonta has filed a lawsuit against the company for failing to protect user data and misleading consumers about the breach's severity. The breach's fallout has led to a bankruptcy filing in March 2025, with ongoing legal scrutiny from multiple states regarding the sale of sensitive data. The company is also facing class-action lawsuits and has proposed a settlement plan to resolve claims. Attorneys general from 27 states have requested the appointment of a consumer privacy ombudsman to oversee data sales during the bankruptcy process. The situation has raised significant concerns about consumer privacy and data security in the genetic testing industry. Key Points: • 23andMe's 2023 data breach exposed nearly 7 million users' personal and genetic information. • California's Attorney General has filed a lawsuit for violations of privacy laws and misleading consumers. • 27 states are pushing for a consumer privacy ombudsman to oversee the sale of sensitive data during bankruptcy.

Detailed Analysis

**Impact** Approximately 7 million users across the US, Canada, and Spain were affected by the 2023 data breach, exposing sensitive personal, genetic, and health information. Around 856,000 Californians were impacted, with the breach involving direct access to about 14,000 user accounts. The company filed for bankruptcy in March 2025, with ongoing legal actions including class settlements valued between $33.25 million and $54.5 million in North America, and a separate lawsuit from California seeking multi-million dollar fines. The breach raises risks of identity theft, mental health impacts, and misuse of genetic data, with concerns extending to relatives and future generations of affected individuals. **Technical Details** The breach occurred over five months starting in April 2023, involving unauthorized access through stolen usernames and passwords reused from other breaches. The attacker gained undetected access to 23andMe’s systems, including genetic and health data repositories. No specific malware, CVEs, or infrastructure details were disclosed. The attack exploited poor credential management and insufficient monitoring, representing a compromise at the initial access and persistence stages of the kill chain. **Recommended Response** Organizations should enforce strict credential hygiene policies, including multi-factor authentication and monitoring for credential reuse. Continuous network and account activity monitoring for anomalous access patterns is critical. Privacy and security teams must review data handling and sale policies to ensure compliance with consumer consent laws. No specific patches or IOCs were provided; defenders should monitor for unauthorized access attempts and potential data exfiltration related to genetic data repositories.

Source articles (7)

  • California Sues 23andMe Over 2023 Breach of Millions' DNA Data — News.Bgov · 2026-05-28
    California Attorney General Rob Bonta sued the genetic testing company formerly known as 23andMe over its handling of a 2023 data breach that exposed nearly 7 million users ’ sensitive personal inform…
  • 7 million users — news.bloomberglaw.com · 2026-05-28
    On the morning of Sept. 25, Elvira Olguín called into a St. Louis court hearing in the 23andMe bankruptcy from Málaga, Spain, sitting beside her son, who guided her through the proceedings. The 96-yea…
  • Bankrupt 23andme Needs Security Examiner For Data 27 States Say — news.bloomberglaw.com · 2026-05-28
    Attorneys general from 27 states and the District of Columbia moved to appoint a consumer privacy ombudsman and security examiner in 23andMe Holding Co.'s bankruptcy, saying they’re concerned the pote…
  • California sues 23andMe over large 2023 data breach — Itnews.Au · 2026-05-28
    The genetics testing company 23andMe is being sued by California Attorney General Rob Bonta, over a 2023 data breach that exposed genetic and other personal information of an estimated 6.9 million US…
  • California sues 23andMe, alleging it failed to protect user data in 2023 breach — Myjournalcourier · 2026-05-28
    LOS ANGELES (AP) — California's attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affecte…
  • California sues former 23andMe over 2023 ancestry and genetic data breach — Cbsnews · 2026-05-28
    California is suing the consumer genetics company formerly known as 23andMe over its 2023 breach of ancestry and genetic data, one of the most consequential data breaches ever. Attorney General Rob Bo…
  • California sues 23andMe, alleging it failed to protect user data in 2023 breach — Abcnews · 2026-05-28
    California’s attorney general is suing the genetic testing company formerly known as 23andMe, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people a…

Timeline

  • 2023-04-01 — Data breach began: A data breach at 23andMe exposed user data, lasting for five months before detection.
  • 2023-10-01 — Data breach disclosed: 23andMe notified users of the breach affecting nearly 7 million customers, leading to widespread concern.
  • 2025-03-01 — 23andMe files for bankruptcy: The company filed for Chapter 11 bankruptcy protection, citing the data breach and related litigation.
  • 2025-07-01 — Asset sale approved: A court approved the sale of 23andMe's assets for $305 million amid ongoing legal challenges.
  • 2026-05-28 — California files lawsuit: California AG Bonta sued 23andMe for mishandling the data breach and violating privacy laws.

Related entities

  • Credential Stuffing (Attack Type)
  • Data Breach (Attack Type)
  • 23andMe (Company)
  • Chrome Holding Co (Company)
  • Canada (Country)
  • Spain (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed