California AG Sues 23andMe Over 2023 Breach Exposing Data of ~7 Million Users
What Happened – In 2023, 23andMe (now Chrome Holding Co.) suffered a credential‑stuffing attack that allowed threat actors to exfiltrate genetic, health, and personal data of roughly 6.9 million customers, including 855 k Californians. The breach was publicly disclosed after the attackers offered the data for sale and released samples to prove authenticity.
Why It Matters for TPRM –
- Genetic and health data are among the most sensitive personal information, raising severe privacy and compliance risks for any downstream partners.
- The incident triggered multi‑state investigations, fines, and a lawsuit by the California Attorney General, highlighting the legal and financial fallout of inadequate security controls.
- Credential‑stuffing attacks exploit weak authentication practices, a common weakness in third‑party SaaS relationships.
Who Is Affected – Consumer genetics/health testing firms, health‑tech platforms, insurers, research institutions, and any organization that integrates 23andMe data via APIs or data‑sharing agreements.
Recommended Actions –
- Review contracts and data‑processing agreements with 23andMe or any similar consumer‑genomics provider.
- Verify that strong multi‑factor authentication (MFA) and credential‑hardening controls are enforced for all third‑party accounts.
- Conduct a data‑flow audit to identify any downstream systems that may have ingested compromised genetic data.
Technical Notes – The breach originated from a credential‑stuffing campaign targeting accounts with weak passwords, compounded by a coding error in the “DNA Relatives” feature that broadened exposure. No specific CVE was cited; the root cause was poor authentication hygiene and insecure application logic. Exfiltrated data included raw DNA files, health‑predisposition scores, ancestry reports, and relational family data. Source: BleepingComputer