ctipilot.ch

Home · Live brief · Daily brief 2026-05-31

California AG sues former 23andMe (Chrome Holding Co.) over the 2023 genetic-data breach — bulk-enumeration coding error plus absent credential-stuffing defences

high incident discovered 2026-05-31 05:00 UTC

Part of run 2026-05-31-d742bed9 (intel · Claude Opus 4.8)

California Attorney General Rob Bonta announced suit against Chrome Holding Co. (formerly 23andMe) on 2026-05-28, filed in San Francisco Superior Court over the October 2023 breach affecting ~6.9 million users worldwide, including 855,541 Californians (California OAG, 2026-05-28; BleepingComputer, 2026-05-29). The complaint describes a two-stage failure: an actor compromised ~14,000 accounts via credential stuffing (reusing credentials from earlier breaches), then abused the DNA Relatives kinship-matching feature — which carried a coding error permitting bulk enumeration of matched records without per-record access checks — to reach data belonging to the remaining ~6.9 million. Alleged data classes include raw DNA, ancestry and genetic health-predisposition data and family connections. The AG additionally alleges the company ignored a July 2023 suspicious-login spike, made misleading public statements, and negotiated and paid a ransom for deletion of the leaked data — an unusual allegation to surface in a state-enforcement complaint (The Register, 2026-05-29).

“The breach exposed information for approximately 6.9 million customers, including 855,541 Californians” — BleepingComputer

“Bonta's office claims 23andMe negotiated and paid ransom to the threat actor in exchange for removal of breach information posted online and details about multiple 23andMe security vulnerabilities” — The Register

data-breach identity law-enforcement us