HomeIntelligenceBrief
BREACH BRIEF🔴 Critical Breach

California AG Sues 23andMe Over 2023 Credential‑Stuffing Breach Exposing Data of ~7 Million Users

A credential‑stuffing attack on 23andMe in 2023 led to the exposure of genetic, health, and personal data for nearly 7 million customers. The breach triggered lawsuits, regulatory fines, and a bankruptcy filing, underscoring the critical need for robust third‑party authentication controls.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

California AG Sues 23andMe Over 2023 Breach Exposing Data of ~7 Million Users

What Happened – In 2023, 23andMe (now Chrome Holding Co.) suffered a credential‑stuffing attack that allowed threat actors to exfiltrate genetic, health, and personal data of roughly 6.9 million customers, including 855 k Californians. The breach was publicly disclosed after the attackers offered the data for sale and released samples to prove authenticity.

Why It Matters for TPRM

  • Genetic and health data are among the most sensitive personal information, raising severe privacy and compliance risks for any downstream partners.
  • The incident triggered multi‑state investigations, fines, and a lawsuit by the California Attorney General, highlighting the legal and financial fallout of inadequate security controls.
  • Credential‑stuffing attacks exploit weak authentication practices, a common weakness in third‑party SaaS relationships.

Who Is Affected – Consumer genetics/health testing firms, health‑tech platforms, insurers, research institutions, and any organization that integrates 23andMe data via APIs or data‑sharing agreements.

Recommended Actions

  • Review contracts and data‑processing agreements with 23andMe or any similar consumer‑genomics provider.
  • Verify that strong multi‑factor authentication (MFA) and credential‑hardening controls are enforced for all third‑party accounts.
  • Conduct a data‑flow audit to identify any downstream systems that may have ingested compromised genetic data.

Technical Notes – The breach originated from a credential‑stuffing campaign targeting accounts with weak passwords, compounded by a coding error in the “DNA Relatives” feature that broadened exposure. No specific CVE was cited; the root cause was poor authentication hygiene and insecure application logic. Exfiltrated data included raw DNA files, health‑predisposition scores, ancestry reports, and relational family data. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/california-ag-sues-23andme-over-2023-breach-exposing-health-data/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →