The breach was a credential-stuffing attack against 23andMe's "DNA Relatives" feature, where threat actors exploited weak user credentials to initially access accounts, subsequently compromising a dataset of nearly 7 million users. The California Attorney General's lawsuit alleges the company failed to implement adequate security safeguards, missed intrusion detection opportunities, and had a coding error in the feature that facilitated the breach. No specific technical details regarding CVSS scores, affected software versions, patches, or workarounds are provided in the article.
Breach California sues 23andMe over 2023 data breach June 1, 2026 Share By SC Staff (Adobe Stock) California Attorney General Rob Bonta has filed a lawsuit against 23andMe, now known as Chrome Holding Co., alleging failures to protect sensitive customer genetic and personal information. This action follows a significant data breach in 2023 that exposed the data of nearly 7 million individuals, including over 850,000 Californians, with further coverage provided by Bleeping Computer. The lawsuit stems from a credential-stuffing attack in October 2023, where threat actors exploited weak user credentials to access accounts. Initially targeting users of the "DNA Relatives" feature, the attackers subsequently gained access to a much larger dataset. In total, approximately 6.9 million customers had their genetic data, health predispositions, ancestry information, and DNA matches compromised. The California Attorney General's complaint asserts that 23andMe failed to implement adequate security safeguards, missed opportunities to detect the intrusion, and had a coding error in its "DNA Relatives" feature that facilitated the breach. The suit also cites misleading public statements made by the company before and after the incident. These alleged violations of state laws, including the California Genetic Information Privacy Act and CCPA, could result in penalties of $1,000 to $7,500 per violation. The company had previously faced multiple lawsuits and multi-million dollar fines from national data protection authorities, leading to its bankruptcy filing. Source: Bleeping Computer SC Staff Related Breach Man arrested in Netherlands for hacking Ajax football club SC Staff May 28, 2026 The suspect, apprehended in Buren, is believed to have repeatedly accessed Ajax's computer systems without authorization earlier this year. Breach ShinyHunters extorts Charter Communications after data breach SC Staff May 26, 2026 The incident came to light after Charter was listed on ShinyHunters' data leak site, where the group claimed to have stolen 40 million records. Breach The Oncology Institute reports patient data potentially exposed in third-party vendor breach SC Staff May 26, 2026 The Oncology Institute disclosed on May 20, 2026, that Kroll, a third-party administrator for an unnamed vendor, detected unauthorized access to systems that may have affected patient data. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Attack Vector You can skip this ad in 5 seconds