California Attorney General Sues 23andMe Over Data Breach

Why this matters: This lawsuit highlights the critical importance of data protection, especially for companies handling sensitive genetic information. It underscores the potential consequences of failing to implement adequate security measures and protect user data from cyberattacks.

In May 2026, California Attorney General Rob Bonta sued 23andMe, a well-known genetic testing company, for allegedly failing to protect user data during a significant data breach in 2023. The breach impacted nearly 7 million people, including over 850,000 Californians. The lawsuit, filed in San Francisco Superior Court, accuses 23andMe of negligence and misleading consumers about the severity of the breach.

The complaint details how hackers exploited weak passwords through a technique called "credential stuffing" to access user accounts. The attackers were able to operate within 23andMe's systems for approximately five months before being detected. During this time, they accessed and stole sensitive data, including raw genetic information, health reports, and ancestry details. This information was subsequently offered for sale on the dark web.

The lawsuit also alleges that 23andMe was aware of suspicious activity, such as a spike in user login attempts, as early as July 2023 but failed to take appropriate action. Furthermore, the company is accused of downplaying the severity of the breach in its communications with consumers.

This legal action follows 23andMe's bankruptcy filing in March 2025 and its subsequent acquisition by TTAM Research Institute, a nonprofit led by former CEO Anne Wojcicki. The lawsuit names Chrome Holding Co., a subsidiary of TTAM, as the defendant.

The lawsuit seeks civil penalties against 23andMe and injunctions to prevent future violations of California's privacy protection laws. It also highlights the importance of robust security measures for companies handling sensitive genetic data.

The data breach involved hackers accessing approximately 7 million 23andMe user accounts and stealing sensitive information, including genetic data and health reports.

Credential stuffing is a cyberattack technique that involves using stolen usernames and passwords from other breaches to gain unauthorized access to user accounts on different platforms.

23andMe is accused of failing to adequately protect user data, neglecting to investigate early warning signs of a breach, and misleading consumers about the severity of the incident.

Do you think genetic testing companies should be held to a higher standard of data protection? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!