23andMe inherits lawsuit over 'disturbing' DNA data breach

The California Attorney General has sued 23andMe (Chrome Holding Co.) over the company’s handling of its catastrophic 2023 breach: a threat actor called “Golem” accessed ~14,000 accounts via credential stuffing and—leveraging the DNA Relatives feature—exposed information tied to nearly 7 million customers, including sensitive genetic and health data that was later offered on the dark web. Regulators found 23andMe failed to detect the intrusion for five months, did not mandate MFA by default, paid a ransom for removal of damaging material and information about vulnerabilities, and has since faced fines, settlements, bankruptcy and legal action.