:

CALIFORNIA SUES 23ANDME OVER 7M-USER DATA BREACH

SECURITY DESK2 MIN READ
FRI, MAY 29, 2026

■ AI-SUMMARIZED FROM 2 SOURCES ▸ TIMELINE

California's Attorney General Rob Bonta filed a lawsuit against 23andMe following a 2023 data breach that compromised genetic and personal information belonging to 7 million users. The stolen data was subsequently sold on the dark web.

The Lawsuit Attorney General Bonta's action targets the DNA testing company for inadequate security practices and failure to protect consumer data. The suit alleges 23andMe violated California's consumer protection laws by not implementing reasonable safeguards for sensitive genetic information. The Breach The breach occurred in 2023 when unauthorized actors accessed user accounts through credential stuffing attacks. Hackers obtained genetic ancestry data, health predispositions, and personal information from millions of customers. The compromised data later appeared on dark web marketplaces. 23andMe's Response The company previously acknowledged the breach and took steps to reset passwords and implement additional security measures. 23andMe stated it notified affected users and cooperated with law enforcement. The company maintained that many users had weak passwords that contributed to account compromise. Legal Implications The lawsuit represents a significant enforcement action against a major consumer genetics company. California has prioritized data protection cases, particularly involving sensitive health information. The suit seeks civil penalties, restitution for affected consumers, and injunctive relief requiring stronger security protocols. Industry Context The case highlights ongoing tensions between the consumer genetics industry and regulators over data security standards. DNA testing services collect some of the most sensitive personal information available. Breaches at these companies raise particular concerns given the permanent nature of genetic data—unlike passwords or credit card numbers, DNA cannot be changed. Other genetic testing companies face similar scrutiny from state and federal regulators regarding data protection practices and third-party data sharing policies. The lawsuit reflects growing regulatory pressure on tech companies handling sensitive consumer data following major security incidents.

■ SOURCES

EngadgetBleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

4H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

4H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

7H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

9H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.