Data Privacy,
Data Security,
Litigation
California Lawsuit: Genetics Testing Firm Ignored Red Flags Prior to Major Data Breach
In 2023, a substantial cybersecurity breach at the genetics testing company 23andMe resulted in a data exposure incident affecting nearly 7 million users. The California Attorney General has pointed to numerous warning signs that went unheeded by the firm, claiming this negligence enabled hackers to infiltrate 23andMe’s IT systems undetected for an extended period of five months. The allegations have led to a lawsuit, with serious implications for the company.
The recently filed lawsuit in California state court targets Chrome Holding, 23andMe’s rebranded name following its bankruptcy filing in March 2025. The legal action seeks not only injunctive relief but also the potential for millions of dollars in fines for purported violations of California’s consumer privacy and business conduct laws. This represents a significant escalation in 23andMe’s ongoing troubles stemming from the breach.
The lawsuit outlines how the credential stuffing attack that occurred in 2023 impacted around 6.9 million consumers across the United States, including nearly 856,000 Californians. Investigating this breach uncovered that hackers began accessing 23andMe’s systems in late April 2023 by utilizing stolen credentials. They compiled sensitive customer data without authorization, leading to severe privacy concerns.
By July, shocking spikes in user login attempts were recorded, with reports highlighting over one million successful logins to individual customer accounts within a single day. Additionally, there were alarming statistics indicating that login requests were being made at an astonishing rate of 1,300 per minute from a single IP address. Such significant anomalies were positioned as critical red flags by California prosecutors, who noted 23andMe’s apparent failure to act to safeguard user data.
As if worsening matters, hackers allegedly exploited a “critical coding error” within 23andMe’s DNA Relatives feature. This component is designed to allow users to identify biological relations among other customers. The vulnerability opened the door for unauthorized access to sensitive information, including ethnicity and genetic relationships among users, exacerbating the severity of the breach.
The regulatory suit raises serious questions about the company’s response — or lack thereof. Prosecutors allege that 23andMe ignored multiple signals indicating its systems had been compromised. The firm did not initiate any remedial measures, such as implementing a mandatory password reset or notifying affected consumers about the breach at the time it was occurring.
It wasn’t until hackers issued ransom demands and promoted the sale of a database comprising around 1.1 million users’ information on the dark web that 23andMe began to take action. Only then did the company conduct an investigation into the security incident. Acknowledgment of the breach came in a public statement posted on October 6, 2023, where 23andMe noted it had identified “suspicious activity” within certain user accounts.
California Attorney General Rob Bonta has criticized 23andMe for misleading consumers regarding its cybersecurity capabilities. He argues that the firm’s lack of transparency and failure to disclose the severity and implications of the breach may constitute a legal violation, raising substantial concerns about corporate accountability in the face of such vulnerabilities.
This lawsuit is just one piece of a larger puzzle for 23andMe, which faces various ongoing legal battles tied to the hack. Additionally, it has not been the only governmental scrutiny faced by the company. In a previous case last year, the U.K. Information Commissioner’s Office imposed a fine of 2.31 million pounds, roughly $3.1 million, for significant privacy violations linked to the data leak.
Moreover, in 2024, 23andMe reached a $30 million settlement to resolve about 40 consolidated civil class action lawsuits initiated in response to the 2023 hack. As 23andMe navigates these legal challenges, the implications for user trust and corporate responsibility in data security come to the forefront of public discourse.