California AG Sues 23andMe Over 2023 Data Breach Exposing 7M Customers

California Attorney General Rob Bonta has filed a lawsuit against 23andMe (now Chrome Holding Co.) for failing to protect sensitive customer genetic and personal information during a 2023 data breach that exposed data belonging to nearly 7 million customers nationwide, including 855,541 Californians. The breach occurred after threat actors leveraged a credential-stuffing attack against accounts with weak or reused passwords, exploiting the company's DNA Relatives feature to exfiltrate genetic data, health predisposition information, ancestry records, and biological relationship data. The incident came to light in October 2023 when attackers began selling stolen records on dark web forums and leaked data samples to demonstrate authenticity. Investigators later discovered that attackers accessed a second, significantly larger set of accounts beyond those using the DNA Relatives feature, totaling approximately 6.9 million affected customers.

The lawsuit alleges that 23andMe failed to implement reasonable safeguards against credential-stuffing attacks, missed multiple opportunities to detect the intrusion, and neglected to address a coding vulnerability in the DNA Relatives feature that facilitated widespread data exfiltration. Beyond technical failures, the Attorney General cites misleading public statements made before and after the breach. Prior to the incident, 23andMe claimed its security met high industry standards. After the breach became public, the company attempted to downplay its severity, suggesting exposed data was largely public information, while blaming customers for password reuse and asserting that its systems had not been breached.

The complaint accuses 23andMe of violating multiple California state laws, including the California Genetic Information Privacy Act, California Reasonable Data Security Law, California Consumer Privacy Act (CCPA), False Advertising Law, and Unfair Competition Law. The Attorney General seeks an injunction to prevent further violations and statutory penalties ranging from $1,000 to $7,500 per violation. The company already faces multiple lawsuits and multi-million-dollar fines from national data protection authorities, ultimately leading to bankruptcy proceedings. Users concerned about their personal data exposure can check if their information was compromised using hackmyip.com's email breach checker and should immediately review password security practices with a password strength checker. For comprehensive privacy protection, individuals should conduct a privacy checkup to identify and address potential vulnerabilities across their digital footprint.