Back

California Sues 23andMe Over 2023 Data Breach Affecting 7 Million Users

Severity: High (Score: 66.0)

Sources: Myjournalcourier, Krcrtv, News.Bgov, www.independent.com, Itnews.Au

Published: 2026-05-28 · Updated: 2026-05-29

Keywords: data, security, examiner, states, california, over, breach

Severity indicators: breach

Summary

California's Attorney General Rob Bonta has filed a lawsuit against 23andMe, now known as Chrome Holding Co., for failing to protect sensitive user data in a 2023 data breach. The breach exposed the personal information of nearly 7 million users, including genetic data and health reports, due to a credential stuffing attack that exploited weak passwords. The company acknowledged that 14,000 accounts were accessed, leading to the scraping of data from connected profiles. The breach was discovered in October 2023 when the stolen data was offered for sale on the dark web. California's lawsuit seeks civil penalties and aims to hold the company accountable for its lax security measures. The breach has raised significant privacy concerns, especially regarding the targeting of specific ethnic groups. 23andMe filed for bankruptcy in March 2025, complicating the legal landscape for affected users. The lawsuit is part of a broader scrutiny of the company's data handling practices during its bankruptcy proceedings. Key Points: • California's lawsuit targets 23andMe for failing to secure user data after a major breach. • The breach affected nearly 7 million users, exposing sensitive genetic and health information. • Credential stuffing was the attack method, leveraging weak passwords from a prior data breach.

Detailed Analysis

**Impact** Nearly 7 million users across the United States, including approximately 855,000 Californians, had their sensitive genetic, health, ancestry, and personal data exposed in the 2023 breach. The breach affected customers of 23andMe, now operating as Chrome Holding Co., with stolen data including raw genetic profiles, health reports, biological relatives’ information, and demographic details. The incident has led to multiple lawsuits, a class-action settlement valued between $30 million and $50 million for U.S. customers, and ongoing legal challenges related to privacy violations and the handling of data during bankruptcy proceedings. **Technical Details** The breach was executed via credential stuffing attacks using stolen usernames and passwords, including credentials leaked from a 2017 MyHeritage breach, a former partner of 23andMe. Attackers accessed approximately 14,000 accounts, enabling them to scrape data on nearly 7 million users through the company’s opt-in DNA Relatives feature. The intrusion went undetected for over five months, with 23andMe only initiating an investigation after the stolen data was offered for sale on the dark web. No specific malware, CVEs, or infrastructure details were disclosed in the sources. **Recommended Response** Organizations should enforce multifactor authentication and monitor for credential stuffing attempts, especially in systems handling sensitive genetic or health data. Regular audits for reused or compromised credentials and prompt investigation of anomalous login patterns are critical. Entities managing genetic data must ensure compliance with applicable privacy laws, including obtaining explicit consent for data transfers. Monitoring dark web forums for stolen genetic data and implementing rapid incident response protocols upon breach detection are advised.

Source articles (13)

  • California Sues 23andMe Over 2023 Breach of Millions' DNA Data — News.Bgov · 2026-05-28
    California Attorney General Rob Bonta sued the genetic testing company formerly known as 23andMe over its handling of a 2023 data breach that exposed nearly 7 million users ’ sensitive personal inform…
  • 7 million users — news.bloomberglaw.com · 2026-05-28
    On the morning of Sept. 25, Elvira Olguín called into a St. Louis court hearing in the 23andMe bankruptcy from Málaga, Spain, sitting beside her son, who guided her through the proceedings. The 96-yea…
  • Bankrupt 23andme Needs Security Examiner For Data 27 States Say — news.bloomberglaw.com · 2026-05-28
    Attorneys general from 27 states and the District of Columbia moved to appoint a consumer privacy ombudsman and security examiner in 23andMe Holding Co.'s bankruptcy, saying they’re concerned the pote…
  • California sues 23andMe over large 2023 data breach — Itnews.Au · 2026-05-28
    The genetics testing company 23andMe is being sued by California Attorney General Rob Bonta, over a 2023 data breach that exposed genetic and other personal information of an estimated 6.9 million US…
  • California sues 23andMe, alleging it failed to protect user data in 2023 breach — Myjournalcourier · 2026-05-28
    LOS ANGELES (AP) — California's attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affecte…
  • California sues former 23andMe over 2023 ancestry and genetic data breach — Cbsnews · 2026-05-28
    California is suing the consumer genetics company formerly known as 23andMe over its 2023 breach of ancestry and genetic data, one of the most consequential data breaches ever. Attorney General Rob Bo…
  • California sues 23andMe, alleging it failed to protect user data in 2023 breach — Abcnews · 2026-05-28
    California’s attorney general is suing the genetic testing company formerly known as 23andMe, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people a…
  • California Sues 23andMe over 2023 Data Breach — Ground.News · 2026-05-28
    California is suing the company formerly known as 23andMe over its 2023 breach of ancestry and genetic data, one of the most consequentilal data breaches ever. California’s attorney general is suing t…
  • California suit says 23andMe hack exposed 855,000 Californians' genetic data — Krcrtv · 2026-05-28
    CALIFORNIA — California Attorney General Rob Bonta announced a lawsuit Thursday against genetic testing company 23andMe, now known as Chrome Holding Company, accusing the company of failing to protect…
  • California sues 23andMe, alleging it failed to protect user data in 2023 breach — apnews.com · 2026-05-29
    LOS ANGELES (AP) — California’s attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affecte…
  • California sues 23andMe over large 2023 data breach — www.reuters.com · 2026-05-29
  • California sues 23andMe over 2023 data breach — www.ctvnews.ca · 2026-05-29
  • Attorney General Bonta Sues Chrome Holding Co., Formerly Known as 23andMe, Over 2023 Data Breach — www.independent.com · 2026-05-29

Timeline

  • 2023-10-01 — Data breach discovered: 23andMe found that user data was being sold on the dark web, affecting nearly 7 million users.
  • 2023-10-01 — Breach publicly disclosed: 23andMe publicly acknowledged the breach affecting 14,000 accounts and the scraping of data from connected profiles.
  • 2025-03-01 — 23andMe files for bankruptcy: The company filed for Chapter 11 bankruptcy, citing the financial impact of the data breach and related lawsuits.
  • 2026-05-28 — California files lawsuit against 23andMe: California's Attorney General filed a lawsuit against Chrome Holding Co. for failing to protect user data in the 2023 breach.

Related entities

  • Credential Stuffing (Attack Type)
  • Data Breach (Attack Type)
  • 23andMe (Company)
  • Chrome Holding Co (Company)
  • Chrome Holding Company (Company)
  • MyHeritage (Company)
  • Canada (Country)
  • Spain (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed