California Sues 23andMe Over 2023 Data Breach, Exposing Millions of Users
Attorney General Rob Bonta alleges the genetic testing company failed to implement reasonable safeguards, leading to a massive leak of sensitive customer information.
California's top prosecutor is suing 23andMe, the popular genetic testing service, over its handling of a massive data breach that exposed the sensitive information of millions of users. Attorney General Rob Bonta announced the lawsuit, alleging that the company, now operating as Chrome Holding Co., failed to implement adequate security measures, ultimately leading to the exposure of genetic data, health predispositions, and personal details for approximately 6.9 million customers.
The breach came to light in October 2023 when malicious actors began offering stolen data for sale on the dark web. 23andMe confirmed the authenticity of the leaked information, attributing the incident to a credential-stuffing attack that exploited weak passwords on user accounts. The attackers were able to access data from users who utilized the platform's 'DNA Relatives' feature, and subsequently gained access to a much larger pool of accounts that did not use this specific function.
Security Failures and Misleading Statements
Bonta's lawsuit specifically targets 23andMe's alleged failure to protect against credential-stuffing attacks. The complaint states that the company missed multiple opportunities to detect the intrusion and did not address a coding error within the 'DNA Relatives' feature that contributed to the widespread breach. Beyond the security lapses, the Attorney General also highlighted what he described as misleading public statements made by 23andMe both before and after the incident. The company reportedly claimed high security standards prior to the breach, and later attempted to minimize the severity of the leak by suggesting the exposed data was largely public and that its systems themselves were not compromised.
These alleged actions are said to have violated several California laws, including the Genetic Information Privacy Act, the Reasonable Data Security Law, the Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law. The lawsuit seeks an injunction to prevent future violations and is pursuing statutory penalties ranging from $1,000 to $7,500 per violation.
A Wave of Scrutiny and Financial Trouble
This legal action from California adds to a growing list of challenges faced by 23andMe. By the end of 2023, the company was already entangled in multiple lawsuits stemming from the breach. Early in 2024, national data protection authorities initiated investigations that resulted in significant fines, a turn of events that ultimately led 23andMe to file for bankruptcy. The current lawsuit highlights the significant risks associated with handling vast amounts of sensitive personal and genetic data, especially in the face of evolving cybersecurity threats.
The Attorney General argues that 23andMe's failure to implement reasonable safeguards directly led to the exposure of highly sensitive genetic and personal information for millions of users.
Context:
The European Union has been at the forefront of data privacy regulation with the General Data Protection Regulation (GDPR), which imposes strict rules on how companies collect, process, and store personal data, including sensitive information like genetic data. While 23andMe is a US-based company, such breaches often draw international attention and can influence regulatory approaches globally. The company's bankruptcy filing also underscores the precarious financial position many tech companies can find themselves in when facing significant data security failures and subsequent legal liabilities.
What this means for you:
If you are a 23andMe customer, this lawsuit is another reminder of the importance of data security and the potential legal ramifications when companies fail to protect your information. The penalties sought could impact 23andMe's restructuring efforts. You should remain vigilant about any potential identity theft or misuse of your personal and genetic data. Keep an eye on updates regarding the bankruptcy proceedings and any potential impact on your data rights.
What's still unclear:
- The exact amount of financial penalty 23andMe might face, beyond the statutory ranges cited.
- Whether the bankruptcy proceedings will affect the outcome or enforcement of this specific lawsuit.
- The extent to which 23andMe's security protocols have been fundamentally altered post-breach and post-bankruptcy filing.
Why this matters:
California sues 23andMe over massive data leak, adding legal pressure amid bankruptcy. This lawsuit amplifies the regulatory and legal scrutiny on 23andMe following a significant data breach, potentially impacting its recovery and setting a precedent for how companies handling sensitive genetic data are held accountable for security failures.
Discuss this story
Got a take, a correction, or a follow-up tip? Reply where you read — we read everything.
Found an error? File a correction at /corrections. Substantive corrections are logged publicly.
One short email. The most important Security news, fact-checked, no fluff. Free, unsubscribe anytime.
More from Security

Apple's Rare Third macOS RC: Unpacking Security Concerns
Byte-Pulse explores the implications of Apple's unusual third Release Candidate for macOS updates, examining the severity of unannounced security fixes and their impact on European users

Google’s Legal Battle Against AI-Driven Cybercrime: Examining Outsider Enterprise
Google's lawsuit against Outsider Enterprise exposes differences in victim counts and sheds light on AI's role in cybercrime.

iOS 26.5 Update Addresses Over 50 Security Vulnerabilities—Update Now
Apple's iOS 26.5 fixes over 50 security flaws. Update your iPhone now to stay secure.

Malware Disguised as OpenAI Found on Hugging Face
A fake OpenAI repo on Hugging Face pushed malware disguised as AI tools, targeting Windows users with info-stealing tactics.
The Byte-Pulse Newsroom is the editorial system that produces Byte-Pulse's daily tech news coverage. Each story is cross-referenced across 3+ independent outlets, drafted with AI assistance by the newsroom system (Drafter → Editor → Fact-Checker → Polisher), and reviewed by Serhat Er, Editor-in-Chief, before publication. We disclose AI augmentation openly. Editorial accountability stays with the named editor on every article. Tips: editorial@byte-pulse.net.
Don’t miss these

Anker Balkonkraftwerk Deal: Beyond the €977 Price Tag
A new Golem-exclusive deal offers a 1.92 kWp Balkonkraftwerk with Anker SOLIX storage for 977 Euro. We cut through the hype to assess its true worth.

Blau's €9.99 Xiaomi Bundle: Strategic Play or Consumer Trap?
Blau's new bundle offers a Xiaomi smartphone and smartwatch with 40GB data for €9.99/month. We examine the details and long-term implications of this deal.

Fidji Simo's Health-Driven Exit Tests OpenAI's C-Suite Resilience Amid IPO Plans
Fidji Simo, a crucial figure in OpenAI's product and business operations, departs due to illness, raising questions about leadership depth ahead of a planned IPO.

Black Flag Resynced: A Technical Marvel That Loses Its Assassin's Heart
Byte-Pulse investigates if Assassin's Creed Black Flag Resynced is a true remake or a cynical cash grab
Tesla Model 3 vs Polestar 2: Choosing Your Next EV Wisely
A balanced breakdown of Tesla Model 3 and Polestar 2. Compare specs, performance, design, and more to find the right EV for you.

Eneloop AAA Deal: Rechargeable Batteries Hit Lowest Price, Boosting Long-Term Value Argument
Byte-Pulse examines the latest Eneloop AAA battery deal, highlighting its long-term economic and environmental benefits compared to standard alkaline options.