California Sues 23andMe Over Genetic Data Breach and Alleged Security Failures
California Attorney General Rob Bonta has sued 23andMe over its 2023 breach, alleging the DNA testing company failed to implement reasonable safeguards for highly sensitive customer data and misled consumers about the incident. State investigators said attackers used a credential-stuffing campaign against roughly 14,000 accounts over about five months, ultimately exposing the personal and genetic information of 6.9 million people, including 855,541 California residents. The compromised data reportedly included genetic predispositions, health risk factors, ancestry, ethnicity, and biological-relative information.
The complaint alleges 23andMe failed to defend against a well-known attack technique, overlooked warning signs such as spikes in login attempts and public discussion of the breach, and left additional weaknesses in its DNA Relatives feature. Bonta also said the stolen data was later advertised for sale on the dark web with references to Asian American Pacific Islander and Jewish users, heightening concerns about targeted harm. The lawsuit follows a class-action settlement approved in January 2026 for up to $50 million, and comes as California separately challenges the sale of consumers’ genetic data and biological samples in 23andMe’s bankruptcy case.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
23andMe class action settlement receives final approval
A class action settlement over the breach, previously increased from an initial $30 million agreement to as much as $50 million, received final judicial approval in January 2026.
California AG sues 23andMe over the 2023 data breach
California Attorney General Rob Bonta filed suit against 23andMe, alleging violations of California privacy, data security, and consumer protection laws tied to the 2023 breach. The complaint says the company failed to implement reasonable protections and misled consumers about the severity and nature of the incident.
Stolen 23andMe data is advertised and sold on the dark web
After the breach, threat actors sold the stolen 23andMe data on the dark web. The data was advertised as including information on Asian American Pacific Islander and Jewish users, heightening concerns about targeted harm.
23andMe breach exposes data from 6.9 million people
In 2023, attackers used credential stuffing to gain unauthorized access to about 14,000 23andMe accounts over roughly five months. Through the company's DNA Relatives feature, the incident exposed personal and genetic information affecting about 6.9 million people, including 855,541 California residents.
UK ICO fines 23andMe £2.31 million over genetic data breach
The UK Information Commissioner's Office fined 23andMe £2.31 million for failing to protect UK users' genetic data in connection with the 2023 breach. This adds a separate UK regulatory enforcement action beyond the previously documented California lawsuit and class action settlement.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
23andMe exposed genetic information of millions, lawsuit says - Malware News - Malware Analysis, News and Indicators
malware.news
Open source23andMe exposed genetic information of millions, lawsuit says | Malwarebytes
malwarebytes.com
Open sourceCalifornia sues 23andMe over 2023 data breach | brief | SC Media
scworld.com
Open sourceCalifornia AG Files Lawsuit Over 23andMe Data Breach
hipaajournal.com
Open sourceAddressing Data Security Concerns - Action Plan - 23andMe Blog
blog.23andme.com
Open sourceICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data
ico-newsroom.prgloo.com
Open sourceOag Ca
oag.ca.gov
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
23andMe Settles for $16.5M in Unused Cyber Insurance Amid Bankruptcy
23andMe, now operating as Chrome Holding, has secured a $16.5 million settlement from its cyber insurers as part of its Chapter 11 bankruptcy proceedings. The agreement involves the insurers buying back unused cyber insurance coverage, with the funds earmarked to pay creditors whose claims are covered by the company's cyber policies, including those related to ongoing cyberattack litigation. The settlement also stipulates that Chrome will indemnify the insurers for claims up to the settlement amount and release them from further obligations related to the policies. The bankruptcy court approved the settlement, which is part of a broader restructuring that included the sale of 23andMe's Personal Genome Service and Research Services business lines to TTAM Research Institute for $305 million. Under TTAM's ownership, 23andMe continues to provide DNA health and ancestry testing services. The settlement provides a mechanism for addressing outstanding cyber-related claims as the company navigates its financial and legal challenges.
Mar 21, 2026
California Privacy Regulator Fines and Bans DataMasters for Unregistered Sale of Sensitive Personal Data
California’s **Privacy Protection Agency (CalPrivacy)** announced a settlement action against Texas-based **Rickenbacher Data (doing business as DataMasters)**, fining the company and **banning it from selling Californians’ personal information** as part of a broader enforcement crackdown on data brokers. The action was brought by the agency’s enforcement division and its **Data Broker Enforcement Strike Force**, following CalPrivacy’s stated intent to increase investigations into data broker privacy violations. Regulators said DataMasters traded in data tied to **sensitive health conditions**—including lists associated with **Alzheimer’s disease, drug addiction, and bladder incontinence**—and also bought and sold lists segmented by demographics and inferred attributes such as **“Seniors,” “Hispanic,” political affiliation, grocery purchases, banking activity, and health-related purchases** for targeted advertising. CalPrivacy stated the company conducted these activities in **2024 without registering with the California Data Broker Registry**, a requirement under California’s data broker rules.
Mar 21, 2026
General Motors Settles California Case Over Sale of Driver Location Data
General Motors agreed to pay **$12.75 million** to settle California allegations that it collected, retained, and sold drivers’ geolocation, driving behavior, and other personal data without proper knowledge or consent, in violation of the **California Consumer Privacy Act (CCPA)**. Prosecutors said GM used data gathered through its **OnStar** service and sold it to **LexisNexis Risk Solutions** and **Verisk Analytics**, which sought to use the information in driver-rating products for insurers; California said GM made about **$20 million nationwide** from the sales. Under the proposed settlement, GM must stop selling driving data to consumer reporting agencies for **five years**, delete retained driving data within **180 days** unless consumers provide affirmative express consent for limited internal uses, and ask LexisNexis and Verisk to delete data they previously received. The agreement, which still requires court approval, also requires GM to establish and maintain a privacy program tied to OnStar data collection and provide privacy assessments to California authorities; officials described the penalty as the **largest CCPA fine to date**.
May 12, 2026