California has sued 23andMe, now operating as Chrome Holding Co., alleging the company failed to adequately protect customers’ genetic and account data in the 2023 breach affecting nearly 7 million people. The complaint says attackers used credential stuffing—trying usernames and passwords stolen elsewhere—to access about 14,000 accounts, then scrape broader data through 23andMe’s DNA Relatives features; the state also alleges 23andMe failed to require stronger safeguards such as multifactor authentication, missed warning signs for months, and only acted after stolen data was advertised for sale and ransom demands were made.
Why it matters: This matters because the stolen information included highly sensitive genetic and health-related data, and the lawsuit may shape how companies are expected to protect and handle biometric and genomic records. Affected users should reset reused passwords, enable multifactor authentication where available, and review what personal and relative-sharing data remains in their account.
Bill Toulas
2026.05.29
98% relevant
This is the same underlying event: California's lawsuit over the 2023 23andMe breach. The article adds details on the complaint's allegations, including failure to defend against credential stuffing, missed intrusion-detection opportunities, a DNA Relatives coding error, and claims that 23andMe misled users before and after the breach.
2026.05.29
98% relevant
This article is the same underlying event: California's lawsuit over 23andMe's 2023 breach. It adds that the suit is now directed at Chrome Holding Co., the post-sale successor to 23andMe, and emphasizes allegations that the company downplayed the breach, failed to implement basic safeguards such as stronger MFA adoption, detected the intrusion only after months, and paid a ransom to the attacker.
Associated Press
2026.05.29
100% relevant
This article establishes a trackable new story because it is not just a recap of the 2023 23andMe breach; it is a concrete state legal action alleging specific security failures, privacy-law violations, and mishandling of genetic data tied to that breach.
← Back to all stories