California Sues 23andMe Over 2023 Data Breach, Exposing Millions of Users

Attorney General Rob Bonta alleges the genetic testing company failed to implement reasonable safeguards, leading to a massive leak of sensitive customer information.

By Byte-Pulse Newsroom·AI-augmented editorial system·May 29, 2026·3 min read
Serhat Er — Founder & Editor-in-ChiefEdited bySerhat Er·Founder & Editor-in-Chief
Updated Jun 13, 2026
California Sues 23andMe Over 2023 Data Breach, Exposing Millions of Users
Byte-Pulse original cover. Source story: BleepingComputer.

California's top prosecutor is suing 23andMe, the popular genetic testing service, over its handling of a massive data breach that exposed the sensitive information of millions of users. Attorney General Rob Bonta announced the lawsuit, alleging that the company, now operating as Chrome Holding Co., failed to implement adequate security measures, ultimately leading to the exposure of genetic data, health predispositions, and personal details for approximately 6.9 million customers.

The breach came to light in October 2023 when malicious actors began offering stolen data for sale on the dark web. 23andMe confirmed the authenticity of the leaked information, attributing the incident to a credential-stuffing attack that exploited weak passwords on user accounts. The attackers were able to access data from users who utilized the platform's 'DNA Relatives' feature, and subsequently gained access to a much larger pool of accounts that did not use this specific function.

Security Failures and Misleading Statements

Bonta's lawsuit specifically targets 23andMe's alleged failure to protect against credential-stuffing attacks. The complaint states that the company missed multiple opportunities to detect the intrusion and did not address a coding error within the 'DNA Relatives' feature that contributed to the widespread breach. Beyond the security lapses, the Attorney General also highlighted what he described as misleading public statements made by 23andMe both before and after the incident. The company reportedly claimed high security standards prior to the breach, and later attempted to minimize the severity of the leak by suggesting the exposed data was largely public and that its systems themselves were not compromised.

These alleged actions are said to have violated several California laws, including the Genetic Information Privacy Act, the Reasonable Data Security Law, the Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law. The lawsuit seeks an injunction to prevent future violations and is pursuing statutory penalties ranging from $1,000 to $7,500 per violation.

A Wave of Scrutiny and Financial Trouble

This legal action from California adds to a growing list of challenges faced by 23andMe. By the end of 2023, the company was already entangled in multiple lawsuits stemming from the breach. Early in 2024, national data protection authorities initiated investigations that resulted in significant fines, a turn of events that ultimately led 23andMe to file for bankruptcy. The current lawsuit highlights the significant risks associated with handling vast amounts of sensitive personal and genetic data, especially in the face of evolving cybersecurity threats.

The Attorney General argues that 23andMe's failure to implement reasonable safeguards directly led to the exposure of highly sensitive genetic and personal information for millions of users.

Context:

The European Union has been at the forefront of data privacy regulation with the General Data Protection Regulation (GDPR), which imposes strict rules on how companies collect, process, and store personal data, including sensitive information like genetic data. While 23andMe is a US-based company, such breaches often draw international attention and can influence regulatory approaches globally. The company's bankruptcy filing also underscores the precarious financial position many tech companies can find themselves in when facing significant data security failures and subsequent legal liabilities.

What this means for you:

If you are a 23andMe customer, this lawsuit is another reminder of the importance of data security and the potential legal ramifications when companies fail to protect your information. The penalties sought could impact 23andMe's restructuring efforts. You should remain vigilant about any potential identity theft or misuse of your personal and genetic data. Keep an eye on updates regarding the bankruptcy proceedings and any potential impact on your data rights.

What's still unclear:

  • The exact amount of financial penalty 23andMe might face, beyond the statutory ranges cited.
  • Whether the bankruptcy proceedings will affect the outcome or enforcement of this specific lawsuit.
  • The extent to which 23andMe's security protocols have been fundamentally altered post-breach and post-bankruptcy filing.

Why this matters:

California sues 23andMe over massive data leak, adding legal pressure amid bankruptcy. This lawsuit amplifies the regulatory and legal scrutiny on 23andMe following a significant data breach, potentially impacting its recovery and setting a precedent for how companies handling sensitive genetic data are held accountable for security failures.

Discuss this story

Got a take, a correction, or a follow-up tip? Reply where you read — we read everything.

Found an error? File a correction at /corrections. Substantive corrections are logged publicly.

#23andme#data breach#security#california#privacy#genetic data
Get the 5 tech stories worth your time — 3× a week

One short email. The most important Security news, fact-checked, no fluff. Free, unsubscribe anytime.

More from Security

About the author
AI-augmented editorial system

The Byte-Pulse Newsroom is the editorial system that produces Byte-Pulse's daily tech news coverage. Each story is cross-referenced across 3+ independent outlets, drafted with AI assistance by the newsroom system (Drafter → Editor → Fact-Checker → Polisher), and reviewed by Serhat Er, Editor-in-Chief, before publication. We disclose AI augmentation openly. Editorial accountability stays with the named editor on every article. Tips: editorial@byte-pulse.net.

HardwareAIGamingMobileSecurity
Editorially reviewed on . Spotted an error? Tell us.
From other sections

Don’t miss these

Anker Balkonkraftwerk Deal: Beyond the €977 Price Tag
⚙️ Hardware

Anker Balkonkraftwerk Deal: Beyond the €977 Price Tag

A new Golem-exclusive deal offers a 1.92 kWp Balkonkraftwerk with Anker SOLIX storage for 977 Euro. We cut through the hype to assess its true worth.

By Byte-Pulse Newsroom·2 days ago·7 min0
Blau's €9.99 Xiaomi Bundle: Strategic Play or Consumer Trap?
📱 Mobile

Blau's €9.99 Xiaomi Bundle: Strategic Play or Consumer Trap?

Blau's new bundle offers a Xiaomi smartphone and smartwatch with 40GB data for €9.99/month. We examine the details and long-term implications of this deal.

By Byte-Pulse Newsroom·4 days ago·4 min
Fidji Simo's Health-Driven Exit Tests OpenAI's C-Suite Resilience Amid IPO Plans
🤖 AI

Fidji Simo's Health-Driven Exit Tests OpenAI's C-Suite Resilience Amid IPO Plans

Fidji Simo, a crucial figure in OpenAI's product and business operations, departs due to illness, raising questions about leadership depth ahead of a planned IPO.

By Byte-Pulse Newsroom·4 days ago·8 min0
Black Flag Resynced: A Technical Marvel That Loses Its Assassin's Heart
🎮 Gaming

Black Flag Resynced: A Technical Marvel That Loses Its Assassin's Heart

Byte-Pulse investigates if Assassin's Creed Black Flag Resynced is a true remake or a cynical cash grab

By Byte-Pulse Newsroom·5 days ago·4 min
🚗 EV & Auto

Tesla Model 3 vs Polestar 2: Choosing Your Next EV Wisely

A balanced breakdown of Tesla Model 3 and Polestar 2. Compare specs, performance, design, and more to find the right EV for you.

By Serhat Er·Jun 26, 2026·6 min0
Eneloop AAA Deal: Rechargeable Batteries Hit Lowest Price, Boosting Long-Term Value Argument
⚙️ Hardware

Eneloop AAA Deal: Rechargeable Batteries Hit Lowest Price, Boosting Long-Term Value Argument

Byte-Pulse examines the latest Eneloop AAA battery deal, highlighting its long-term economic and environmental benefits compared to standard alkaline options.

By Byte-Pulse Newsroom·Jul 06, 2026·5 min0
Cookies & ads

We fund this site through ads (Google AdSense and others) and use analytics to see what works. Both may set cookies. You decide what is OK — your choice is remembered.

Details in our Privacy Policy.