California sues 23andMe over massive 2023 data breach

At a glance:

• California's attorney general files lawsuit against 23andMe over 2023 data breach affecting nearly 7 million users
• Cybercriminals used credential-stuffing attack to access genetic data for over five months undetected
• Stolen data of users with Chinese or Ashkenazi Jewish ancestry posted for sale on dark web

The lawsuit marks a significant escalation in legal consequences for 23andMe following one of the most severe data breaches in the consumer genetics sector. California Attorney General Rob Bonta filed the complaint in San Francisco Superior Court on Thursday, accusing the company of failing to investigate or respond to warnings that its systems had been compromised.

The breach, which occurred in 2023, involved a credential-stuffing attack where hackers used stolen usernames and passwords from unrelated breaches to gain access to 23andMe's systems. According to the complaint, the intruders operated undetected for over five months before the company began investigating, only after the stolen data appeared for sale on the dark web and hackers contacted 23andMe demanding a ransom.

The stolen data included the ancestry and genetic information of more than 6.9 million people, with specific targeting of customers who identified as having Chinese or Ashkenazi Jewish ancestry. The compromised data of over 1 million users from these groups was later posted for sale on the dark web, raising concerns about identity theft and discrimination.

Attorney General Bonta emphasized the dangerous timing and implications of the breach, noting that the data was sold during a period of increasing anti-Asian American and Pacific Islander and antisemitic hate and violence. "This is disturbing and incredibly dangerous," Bonta said in a press release, highlighting the intersection of cybersecurity failures and social harm.

The lawsuit follows a previous January 2024 settlement where 23andMe agreed to pay $30 million to resolve claims that it failed to adequately protect customers and notify those specifically targeted. At its peak, 23andMe became the dominant name in DNA self-testing, selling kits for over $99 that provided ancestry insights and relative matching. The company's prominence declined after its $3.5 billion public offering in 2021, and it later filed for bankruptcy in 2025. TTAM Research Institute, led by cofounder Anne Wojcicki, acquired 23andMe's assets for $305 million last July.

The case underscores growing concerns about the security of sensitive genetic data and the responsibility of companies handling such information. 23andMe representatives did not immediately respond to requests for comment on the lawsuit.