California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach

Summary

California's attorney general filed a lawsuit against 23andMe (now Chrome Holding Co.) for inadequate security measures that allowed a 2023 breach affecting nearly 7 million customers through credential-stuffing attacks. The company failed to implement basic protections like mandatory password resets or MFA after a 2017 MyHeritage breach and delayed investigation for five months until stolen data appeared on the dark web. The suit seeks civil penalties and injunctions under California's privacy protection laws, including the Genetic Information Privacy Act.

Full text

California’s attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country. Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. 23andme is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions. The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California’s privacy protection laws. The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. The cyberattack utilized “credential stuffing,” which takes advantage of customers’ tendency to use weak or common passwords or reuse passwords between multiple accounts. Bonta’s office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe’s former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication. 23andMe did not immediately respond to an emailed request for comment.Advertisement. Scroll to continue reading. “23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom,” prosecutors said in the complaint. In October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users. “The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said in a press release. “This is disturbing and incredibly dangerous.” Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives. The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it. The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August. Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said. Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed. In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy. Related: Website Security Breach Exposes 1 Million DNA Profiles Written By Associated Press Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Associated Press UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaLithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register EntriesDeal Reached With Hackers to Delete Data Stolen From the Canvas Educational PlatformCanvas System Is Online After a Cyberattack Disrupted Thousands of SchoolsCyberattack Hits Canvas System Used by Thousands of Schools as Finals LoomWorries About AI’s Risks to Humanity Loom Over the Trial Pitting Musk Against OpenAI’s LeadersUS Military Reaches Deals With 7 Tech Companies to Use Their AI on Classified SystemsGermany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials Latest News Chrome 148 Update Patches 151 VulnerabilitiesRussia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge CyberattacksGeordie Raises $30 Million for AI Security and Governance PlatformCarnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh AttacksIBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”New Edamame Platform Aims to Catch AI Coding Agents Going Off the Rails Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — credential stuffing

Entities