California AG sues 23andMe over 2023 breach exposing health data

California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company’s failure to protect sensitive customer genetic and personal information.

Improper security led to a high-profile data breach in 2023 that exposed the sensitive information of nearly 7 million customers, including 855,541 Californians.

The incident came to light that year in October, after threat actors offered to sell a large number of records stolen from 23andMe, and leaked data samples (and later larger parts of the dataset) to prove the authenticity of the information.

The California-based company confirmed that the leaked data was genuine and claimed that it had been extracted following a credential-stuffing attack targeting accounts with weak credentials.

Soon, it became clear that the attackers had exfiltrated data from users opting into the platform's 'DNA Relatives' feature, and then accessed a second, much larger set of accounts that didn’t use the feature.