California Attorney General Sues 23andMe Over 2023 Data Breach
Executive Summary
In October 2023, genetic testing company 23andMe experienced a significant data breach affecting approximately 6.9 million users, including 855,541 Californians. Attackers exploited reused passwords through a credential-stuffing attack, initially compromising around 14,000 accounts. Due to the interconnected nature of 23andMe's 'DNA Relatives' feature, the breach expanded, exposing sensitive genetic and personal information such as ancestry reports, health predispositions, and DNA matches. The company faced multiple lawsuits and regulatory fines, ultimately filing for bankruptcy in March 2025. In May 2026, California Attorney General Rob Bonta filed a lawsuit against 23andMe, now known as Chrome Holding Co., alleging failure to implement reasonable safeguards against credential-stuffing attacks and misleading public statements regarding the breach. This incident underscores the critical importance of robust cybersecurity measures, especially in handling sensitive genetic data. The rise in credential-stuffing attacks highlights the need for organizations to enforce strong password policies and multi-factor authentication to protect user information.
Why This Matters Now
The 23andMe data breach serves as a stark reminder of the vulnerabilities associated with credential-stuffing attacks and the necessity for stringent security protocols. With the increasing prevalence of such attacks, organizations must prioritize the implementation of multi-factor authentication and proactive monitoring to safeguard sensitive user data.
Attack Path Analysis
Attackers initiated a credential stuffing attack to gain unauthorized access to user accounts. Exploiting the 'DNA Relatives' feature, they escalated privileges to access additional user data. They moved laterally to access a broader set of accounts beyond those using the feature. Established command and control channels to maintain persistent access. Exfiltrated sensitive genetic and personal information of approximately 6.9 million customers. The breach led to significant legal actions and reputational damage for the company.
Kill Chain Progression
Initial Compromise
Description
Attackers used credential stuffing to gain unauthorized access to user accounts.
MITRE ATT&CK® Techniques
Credential Stuffing
Valid Accounts
Data from Cloud Storage
Automated Exfiltration
Disable or Modify Tools
Acquire Infrastructure: Domains
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
California Consumer Privacy Act (CCPA) – Civil Action for Data Breach
Control ID: 1798.150
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Direct exposure through genetic data breaches like 23andMe demonstrates critical vulnerability to credential stuffing attacks targeting sensitive health information requiring enhanced segmentation.
Biotechnology/Greentech
Genetic testing companies face severe regulatory penalties and customer trust erosion from inadequate data protection against credential stuffing attacks exposing proprietary biological data.
Information Technology/IT
Infrastructure providers must implement zero trust segmentation and egress security controls to prevent lateral movement and data exfiltration following initial credential compromise attacks.
Legal Services
Mass litigation following genetic data breaches creates extensive liability exposure, requiring robust compliance frameworks addressing CCPA, genetic privacy laws, and consumer protection regulations.
Sources
- California AG sues 23andMe over 2023 breach exposing health datahttps://www.bleepingcomputer.com/news/security/california-ag-sues-23andme-over-2023-breach-exposing-health-data/Verified
- California sues 23andMe, alleging it failed to protect user data in 2023 breachhttps://apnews.com/article/0fc216812a2a35b72068c228384f597bVerified
- 23andMe confirms hackers stole ancestry data on 6.9 million usershttps://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/Verified
- 23andMe Data Breach Impacts 6.9M Usershttps://www.techtarget.com/healthtechsecurity/news/366593944/23andMe-Data-Breach-Impacts-69M-UsersVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate sensitive data by enforcing strict segmentation and identity-aware controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised credentials would likely be constrained, reducing unauthorized access to critical systems.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing unauthorized access to sensitive data.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing the scope of compromised accounts.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss.
The overall impact of the breach would likely be constrained, reducing legal and reputational consequences.
Impact at a Glance
Affected Business Functions
- Customer Data Management
- Genetic Data Analysis
- User Account Services
Estimated downtime: N/A
Estimated loss: $50,000,000
Personal and genetic information of approximately 6.9 million users, including health predisposition data, ancestry details, and DNA matches.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Multi-Factor Authentication (MFA) to prevent unauthorized access through credential stuffing.
- • Enhance monitoring and anomaly detection to identify and respond to unusual access patterns.
- • Apply Zero Trust Segmentation to limit lateral movement within the network.
- • Enforce strict egress security policies to prevent unauthorized data exfiltration.
- • Regularly audit and update security controls to address potential vulnerabilities.
