23andMe Failed to Stop Months-Long Hack, State Alleges
Data Breach TodayArchived May 30, 2026✓ Full text saved
Calif. Lawsuit: Genetics Testing Firm Missed Red Flags Before Massive 2023 Breach Hackers in 2023 went undetected for five months in genetics testing firm 23andMe's IT systems, despite multiple unheeded warning signs, alleges California's attorney general in a lawsuit. Hackers in late April 2023 began accessing 23andMe’s systems by using compromised credentials.
Full text archived locally
✦ AI Summary· Claude Sonnet
Data Privacy , Data Security , Litigation
23andMe Failed to Stop Months-Long Hack, State Alleges
Calif. Lawsuit: Genetics Testing Firm Missed Red Flags Before Massive 2023 Breach
Marianne Kolbasuk McGee (HealthInfoSec) • May 29, 2026
Share Post Share
Credit Eligible
Get Permission
Image: Shutterstock
Hackers in 2023 went undetected for five months in genetics testing firm 23andMe's IT systems, despite multiple unheeded warning signs, alleges California's attorney general in a lawsuit. The data of nearly 7 million users ended up exposed.
See Also: OnDemand | Protect and Govern Sensitive Data
The lawsuit, filed on Wednesday in state court against Chrome Holding - 23andMe's rebranded name after filing for bankruptcy in March 2025 - seeks injunctive relief and potentially millions of dollars in fines for alleged violations of California consumer, privacy and business practice laws.
The 2023 credential stuffing hack affected about 6.9 million consumers nationwide, including almost 856,000 Californians, the lawsuit said (see: 23andMe Investigating Apparent Credential Stuffing Hack).
The state's investigation into the breach determined that hackers in late April 2023 began accessing 23andMe’s systems by using compromised credentials to compile customer data from individual 23andMe accounts without authorization.
By July, the firm's systems recorded a "a suspicious spike in user login attempts that involved over 1 million successful user logins to the same customer account throughout a single day and an actor making 1,300 login requests per minute from a single IP address," the complaint said.
Such an unusual surge should have been a red flag, California prosecutors wrote. "Yet 23andMe failed to take action to protect its users and their data."
The hackers also exploited "a critical coding error" in 23andMe’s DNA Relatives opt-in feature that allows DNA-related 23andMe users to see lists of other participating customers to which they are biologically related. That exploitation gave hackers access to information including ethnicity "and how - both qualitatively and quantitatively - the customers were genetically related," the lawsuit alleged.
"Despite multiple warnings that its systems had been compromised, 23andMe did not take any remedial action, implement any new security measures, such as a mandatory password reset, or notify consumers of the breach at that time."
23andMe only began investigating the incident after hackers demanded a ransom and touted for sale on the dark web a trove of about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users, the lawsuit said.
23andMe publicly acknowledged the data breach on Oct. 6, 2023, when it published a statement saying it had discovered "suspicious activity" in certain 23andMe customer accounts.
California Attorney General Rob Bonta criticized the company for misleading consumers by having touted its cybersecurity practices, calling its lack of candor legally actionable.
California's lawsuit is 23andMe's latest legal trouble in a long list of other government and civil litigation involving the hack.
The U.K. Information Commissioner's Office and the Office of the Privacy Commissioner of Canada last year imposed a 2.31 million pound fine - or about $3.1 million against 23andMe for "serious" privacy violations tied to the company's data leak (see: ICO Imposes 2.31 Million Pound Fine on 23andMe).
The company in 2024 also agreed to pay a $30 million settlement to resolve about 40 consolidated civil class action lawsuits in the U.S. related to the 2023 hack (see: 23andMe to Pay $30M for Credential Stuffing Hack Settlement).