A California lawsuit claims 23andMe failed to protect sensitive DNA data before a major 2023 breach. Here’s what happened, what information was leaked, and why it matters to you.
Table of Contents
What Happened?
According to BBC News, California Attorney General Rob Bonta announced a lawsuit against Chrome Holding, the company that took over 23andMe after its bankruptcy. The lawsuit focuses on a 2023 data breach that affected nearly seven million 23andMe users.
State investigators say 23andMe failed to use basic security protections and later downplayed how serious the breach was. The company has not publicly responded to the lawsuit.
The case follows years of regulatory scrutiny, including a £2.31 million fine from the UK’s Information Commissioner’s Office in 2025.
Who Was Affected and What Data Was Leaked?
The breach affected nearly seven million users of 23andMe. Investigators say attackers accessed highly sensitive information, including:
- Genetic predispositions (health-related genetic traits)
- Disease risk information
- Ancestry details
- Ethnicity information
- Information about biological relatives
Authorities also said stolen data later appeared for sale online and was marketed as belonging to certain groups, including Asian American Pacific Islander and Jewish users.
Data leaks can continue causing problems long after the original incident disappears from headlines. Criminals often use leaked information in phishing emails, identity theft attempts, impersonation scams, and other forms of fraud. Many people do not realize their information was leaked until suspicious activity appears months or even years later.
If you are not sure whether your information was leaked somewhere online, checking regularly can help you spot problems earlier.
With Futureproof, you can quickly check whether your email appeared in known data leaks and get simple steps to secure your account.
How Did the Attack Happen?
Investigators say attackers used a credential stuffing attack (a method where criminals use passwords stolen from older breaches to try logging into other accounts).
This works because many people reuse the same password across multiple websites. If a password was leaked elsewhere, attackers can test it against other services and sometimes gain access.
Regulators in both the UK and Canada later found that 23andMe lacked stronger login protections that could have helped stop these attacks.
Futureproof scans your data for leaks and shows exactly how to close security gaps — before scammers find them first.
Check my safetyWhy Your DNA Data Deserves Extra Protection
Most data breaches involve names, email addresses, or passwords. Genetic information is different because it cannot be changed like a password.
DNA data can reveal family connections, ancestry, and health-related information. Once that information is leaked, it may remain available indefinitely.
At Futureproof, Kevin explains digital safety in simple words, with clear tips and zero fluff. He holds a degree in information technology and studies fraud trends to keep his tips up-to-date.
In his free time, Kevin plays with his cat, enjoys board-game nights, and hunts for New York’s best cinnamon rolls.
