Back

23andMe Faces Legal Action Over Data Breach and Bankruptcy Concerns

Severity: High (Score: 66.0)

Sources: Itnews.Au, news.bloomberglaw.com, News.Bgov

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: data, security, examiner, states, california, over, breach

Severity indicators: breach

Summary

23andMe, now known as Chrome Holding Co., is under scrutiny following a 2023 data breach that exposed sensitive information of nearly 7 million users. California Attorney General Rob Bonta has filed a lawsuit against the company, alleging it failed to protect user data and misled consumers about the breach's severity. The breach allowed hackers to access personal and genetic information, exploiting reused credentials. In bankruptcy proceedings, 27 states and the District of Columbia have requested the appointment of a consumer privacy ombudsman to oversee the potential sale of sensitive data. Concerns have been raised regarding the company's compliance with privacy laws, including the California Consumer Privacy Act. The company filed for bankruptcy in March 2026, two years after the breach, prompting fears about the sale of consumer data without proper oversight. Key Points: • 23andMe's 2023 data breach affected nearly 7 million users, exposing sensitive genetic data. • California's Attorney General has sued 23andMe for failing to protect user data and misleading consumers. • 27 states are seeking an ombudsman to oversee the sale of sensitive data during 23andMe's bankruptcy.

Detailed Analysis

**Impact** Approximately 7 million 23andMe customers had their personally identifiable and genetic data compromised in a 2023 breach, including direct access to around 14,000 user accounts. The company’s genetic database now contains over 15 million customers’ genetic and health data, raising concerns about potential unauthorized sale amid bankruptcy proceedings. The breach affects consumers across at least 27 U.S. states and the District of Columbia, with legal actions citing violations of multiple state privacy laws, including California, Alaska, Washington, Colorado, Virginia, Utah, and Connecticut. The exposure of sensitive genetic information also poses risks to individuals related by DNA and future generations. **Technical Details** The attacker exploited reused usernames and passwords obtained from previous data breaches, maintaining undetected access for five months. During this time, 23andMe’s security team failed to identify or mitigate credential reuse risks. The breach involved unauthorized access to user accounts and subsequent sale of genetic data on the dark web. No specific malware, CVEs, or infrastructure details were disclosed in the articles. **Recommended Response** Organizations handling sensitive genetic or personal data should enforce strict credential hygiene policies, including multi-factor authentication and monitoring for credential stuffing attacks. Legal and regulatory entities should monitor 23andMe’s bankruptcy asset sale process to ensure compliance with privacy protections and consumer opt-out rights. Security teams should watch for unauthorized access patterns and suspicious data exfiltration related to genetic databases. No specific patches or IOCs were provided for immediate technical mitigation.

Source articles (4)

  • California Sues 23andMe Over 2023 Breach of Millions' DNA Data — News.Bgov · 2026-05-28
    California Attorney General Rob Bonta sued the genetic testing company formerly known as 23andMe over its handling of a 2023 data breach that exposed nearly 7 million users ’ sensitive personal inform…
  • 7 million users — news.bloomberglaw.com · 2026-05-28
    On the morning of Sept. 25, Elvira Olguín called into a St. Louis court hearing in the 23andMe bankruptcy from Málaga, Spain, sitting beside her son, who guided her through the proceedings. The 96-yea…
  • Bankrupt 23andme Needs Security Examiner For Data 27 States Say — news.bloomberglaw.com · 2026-05-28
    Attorneys general from 27 states and the District of Columbia moved to appoint a consumer privacy ombudsman and security examiner in 23andMe Holding Co.'s bankruptcy, saying they’re concerned the pote…
  • California sues 23andMe over large 2023 data breach — Itnews.Au · 2026-05-28
    The genetics testing company 23andMe is being sued by California Attorney General Rob Bonta, over a 2023 data breach that exposed genetic and other personal information of an estimated 6.9 million US…

Timeline

  • 2023-01-01 — Data breach disclosed: 23andMe disclosed a breach affecting nearly 7 million users, exposing sensitive personal information.
  • 2023-05-01 — California AG launches investigation: California Attorney General initiated an investigation into 23andMe's data breach handling and security practices.
  • 2026-03-28 — 23andMe files for bankruptcy: The company filed for bankruptcy, raising concerns about the sale of sensitive consumer data.
  • 2026-05-28 — California sues 23andMe: California AG Bonta filed a lawsuit against 23andMe for violating privacy laws and misleading consumers about the breach.
  • 2026-05-28 — 27 states seek ombudsman: Attorneys general from 27 states requested a consumer privacy ombudsman in 23andMe's bankruptcy case to protect user data.

Related entities

  • Data Breach (Attack Type)
  • 23andMe (Company)
  • Canada (Country)
  • Spain (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed