Industry - Data Breach
Executive Summary
California Attorney General Rob Bonta is suing Chrome Holding Co., the successor to 23andMe, over a 2023 data breach that exposed sensitive genetic information of nearly seven million users through a credential-stuffing attack. The breach revealed genetic predispositions, ancestry data, and information about biological relatives, with hackers specifically advertising stolen data from Asian American Pacific Islander and Jewish users on the dark web. The lawsuit alleges 23andMe failed to implem...
What Happened
California Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co., the successor to 23andMe, regarding a 2023 data breach that exposed genetic and ancestry information of nearly seven million users. The breach occurred through a credential-stuffing attack, where hackers used passwords from previous breaches to access accounts where users had reused similar credentials. Stolen data was subsequently sold on the dark web, with hackers specifically advertising information belonging to Asian American Pacific Islander and Jewish users.
Who Is Affected
Nearly seven million 23andMe users globally had their genetic predispositions, risk factors, ancestry, ethnicity, and information about biological relatives exposed, including 155,592 UK residents specifically identified by regulators. The breach disproportionately targeted and advertised data from Asian American Pacific Islander and Jewish users, occurring during a period of increased hate and violence against these communities. Former and current customers of the DNA testing service who used reused passwords from other breached accounts were vulnerable to this attack.
Why It Matters
This breach demonstrates the unique dangers of genetic data exposure, as DNA information is immutable and can reveal intimate health details about individuals and their relatives for generations. The lawsuit alleges 23andMe failed to implement basic authentication measures like multi-factor verification despite handling special category data requiring enhanced protections under privacy laws. The targeted sale of specific ethnic groups' genetic data on the dark web, combined with the company's subsequent bankruptcy raising concerns about potential sale to insurance companies, illustrates how genetic privacy failures create permanent risks that extend beyond typical data breaches.
What You Should Do
If you are a 23andMe user, immediately change your account password to a strong, unique password not used on any other service and enable multi-factor authentication if available. Review your account settings and consider requesting deletion of your genetic data, though complications arose when users attempted this during the company's bankruptcy proceedings. Monitor for identity theft or misuse of your information, and be aware that genetic data breaches cannot be remedied by simply changing credentials since your DNA remains constant and the exposed information about health predispositions and ancestry is permanent.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources
- Attorney General Bonta Sues Chrome Holding Co., Formerly Known as 23andMe, Over 2023 Data Breach - State of California - Department of Justice (.gov)
- California Sues 23andMe Over 2023 Breach of Millions’ DNA Data - Bloomberg Government News
- California Attorney General sues 23andMe successor for 2023 data breach - BBC
- Data Breach Communication - Yahoo Sports Canada
- Calif. AG Sues 23andMe Over Lapses In Genetic Data Security - Law360