California's Attorney General Rob Bonta filed a lawsuit against 23andMe following a 2023 data breach that compromised genetic and personal information belonging to 7 million users. The stolen data was subsequently sold on the dark web.
The Lawsuit
Attorney General Bonta's action targets the DNA testing company for inadequate security practices and failure to protect consumer data. The suit alleges 23andMe violated California's consumer protection laws by not implementing reasonable safeguards for sensitive genetic information.
The Breach
The breach occurred in 2023 when unauthorized actors accessed user accounts through credential stuffing attacks. Hackers obtained genetic ancestry data, health predispositions, and personal information from millions of customers. The compromised data later appeared on dark web marketplaces.
23andMe's Response
The company previously acknowledged the breach and took steps to reset passwords and implement additional security measures. 23andMe stated it notified affected users and cooperated with law enforcement. The company maintained that many users had weak passwords that contributed to account compromise.
Legal Implications
The lawsuit represents a significant enforcement action against a major consumer genetics company. California has prioritized data protection cases, particularly involving sensitive health information. The suit seeks civil penalties, restitution for affected consumers, and injunctive relief requiring stronger security protocols.
Industry Context
The case highlights ongoing tensions between the consumer genetics industry and regulators over data security standards. DNA testing services collect some of the most sensitive personal information available. Breaches at these companies raise particular concerns given the permanent nature of genetic data—unlike passwords or credit card numbers, DNA cannot be changed.
Other genetic testing companies face similar scrutiny from state and federal regulators regarding data protection practices and third-party data sharing policies.
The lawsuit reflects growing regulatory pressure on tech companies handling sensitive consumer data following major security incidents.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.