23andMe A.I CyberSecurity Scoring
23andMe
Company Information
Website:https://www.23andme.com
Employees number:559
Number of followers:81,337
NAICS:8135
Industry Type:Non-profit Organizations
Homepage:23andme.com
23andMe Risk Score (AI oriented)
Between 0 and 549
23andMeNon-profit Organizations
Updated:
02/06/2026
02/06/2026
100/1000
Critical
C
23andMe Global Score (TPRM)
xxxx
23andMeNon-profit Organizations
Score locked

23andMeCritical
Current Score
100C (CRITICAL)
01000
8 incidents
-118 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
100
JUNE 2026
234
Breach
01 Jun 2026 • 23andMe
23andMe: California Attorney General sues 23andMe for security breach
23andMe Data Breach Impacting 7 Million Users
100
CRITICAL-134
23A1780359968
23andMe Faces Lawsuit Over 2023 Data Breach Impacting 7 Million Users
The California Attorney General, Rob Bonta, has filed a lawsuit against genetic-testing company 23andMe (now operating as Chrome Holding Co.) for its handling of a 2023 data breach that exposed the sensitive information of nearly 7 million users, including over 850,000 Californians. The complaint alleges that 23andMe failed to implement basic security measures, misled customers about the breach’s severity, and violated multiple state laws, including the Genetic Information Privacy Act and the California Consumer Privacy Act.
The breach, which occurred over five months, stemmed from a credential-stuffing attack, where hackers exploited weak or reused passwords from other breaches including a prior incident at genealogy site MyHeritage, a 23andMe partner. Once inside, attackers exploited a coding flaw in the company’s “DNA Relatives” feature, allowing them to access ancestry reports, family histories, and health-related genetic data. The stolen information was later offered for sale on the dark web, with hackers specifically targeting data belonging to Asian-Pacific Islander and Jewish users amid rising hate crimes.
23andMe initially downplayed the incident, publicly confirming only 14,000 compromised accounts while withholding details about the broader exposure. The California Department of Justice’s investigation found that the company’s security practices “fell below industry standards”, despite its claims of robust protections. The lawsuit also accuses 23andMe of misleading customers by denying a security incident even after hackers revealed exploitable vulnerabilities during ransom negotiations.
Founded in 2006, 23andMe was the first direct-to-consumer DNA testing company but faced financial struggles, filing for bankruptcy in 2023. Its assets were later acquired by the 23andMe Research Institute, a nonprofit that has distanced itself from the lawsuit, stating it was not involved in the events leading to the breach.
The legal action seeks accountability for what Bonta described as a failure to “meet its obligation under California law to keep [users’] information safe.” The case highlights the risks of inadequate cybersecurity in handling highly sensitive genetic and personal data.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
224
APRIL 2026
224
MARCH 2026
214
FEBRUARY 2026
203
JANUARY 2026
189
DECEMBER 2025
175
NOVEMBER 2025
349
Breach
28 Nov 2025 • 23andMe
23andMe Nets Approval for Bankruptcy Plan With Data Breach Deals
23andMe Data Breach and Bankruptcy Settlement
189
CRITICAL-160
23A1764346412
Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims.
Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims.
Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan.
Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
OCTOBER 2025
343
SEPTEMBER 2025
393
Breach
25 Sep 2025 • 23andMe
23andMe
23andMe Data Breach and Bankruptcy Settlement
333
CRITICAL-60
23A0702607092625
The genetic testing company 23andMe faced a significant data breach exposing customers' personal and genetic information. The breach led to legal claims from affected users, prompting the company to propose settlements as part of its ongoing Chapter 11 bankruptcy proceedings. The exposed data included sensitive customer details, raising concerns over privacy, identity theft, and potential misuse of genetic information. The breach’s financial and reputational fallout contributed to the company’s restructuring efforts, with a judge reviewing settlement approvals to resolve customer claims. The incident underscores the severe consequences of failing to protect highly personal data in the biotech sector, particularly when such information can have long-term implications for individuals' health, insurance, and security.
INCIDENT DETAILS -
TYPE
DATA BREACH
REFERENCES
AUGUST 2025
387
MARCH 2025
408
Breach
24 Mar 2025 • 23andMe
23andMe
23andMe Bankruptcy and Data Privacy Concerns
349
CRITICAL-59
23A000032525
23andMe, a company offering personal genetic testing services, has faced bankruptcy protection while holding a vast collection of sensitive genetic data. Privacy risks are heightened as this data might fall into new hands during a sale process, raising concerns over data protection and potential misuse. Legal frameworks like California’s right to deletion offer some safeguards, yet a national health privacy law in the US is lacking, leaving many customers vulnerable. Customers are advised to download and then request deletion of their personal genetic data to ensure their privacy.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
OCTOBER 2023
419
Breach
01 Oct 2023 • 23andMe
23andMe (Chrome Holding Co.)
23andMe Data Breach (2023)
269
CRITICAL-150
23A4433044101425
In October 2023, 23andMe suffered a massive data breach exposing the personal and genetic data of nearly 7 million users, including highly sensitive DNA profiles, health records, and personally identifiable information (PII). The breach led to severe consequences for affected individuals, including identity theft, targeted harassment (especially against LGBTQ+ members like Salman Jaberi), mental health deterioration (e.g., Elvira Olguín’s vascular episode and vision loss due to stress), and financial fraud. The company filed for bankruptcy in March 2024, facing over 250,000 claims (many suspected fraudulent) tied to the incident, with settlements proposed at $30M–$50M (US) and $3.25M (Canada)—far below the claimed $51 trillion in damages. Victims reported long-term risks, such as nation-state exploitation of immutable DNA data, while the company struggled to verify legitimate claims. The breach’s unique harm—irreplaceable genetic data—heightened distress, with many users feeling the settlements provided insufficient relief for ongoing damages like privacy protection costs, medical expenses, and emotional trauma.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2023
685
Breach
16 Jun 2023 • 23andMe
23andMe
23andMe Data Breach (2023)
396
CRITICAL-289
23A4894348111825
In 2023, 23andMe suffered a major data breach exposing highly sensitive genetic and ancestry data of nearly 7 million users. The compromised information included chromosomal haplogroups, family tree details, and ancestry profiles, with ethically charged consequences—such as curated dark web lists targeting individuals of Jewish and Chinese descent. Initially, the company blamed users for weak passwords, exacerbating public distrust. The fallout led to a costly class-action lawsuit, severe reputational damage, and heightened scrutiny over the company’s data stewardship practices. The breach underscored the risks of mishandling biometric and genetic data, which, unlike financial records, cannot be changed if exposed. The incident also highlighted systemic failures in incident response, transparency, and ethical data management, reinforcing the need for stricter protections around health-related and personally identifiable information (PII).
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Breach
16 Jun 2023 • 23andMe
23andMe: 23andMe Bankruptcy Judge to Review Data Breach Deals, Legal Fees
23andMe Data Breach Settlements and Legal Fees Ruling
396
CRITICAL-289
23A1768948228
23andMe Bankruptcy Judge to Rule on Data Breach Settlements and Legal Fees
A U.S. bankruptcy judge overseeing 23andMe’s Chapter 11 case will issue a final decision next week on settlements with victims of a 2023 data breach, along with contested legal fees for attorneys representing the claimants. Judge Brian C. Walsh of the U.S. Bankruptcy Court for the Eastern District of Missouri announced the ruling during a Tuesday hearing, setting the deadline for January 28.
The case centers on two key agreements: one involving a class of U.S.-based victims and another tied to the company’s 2025 asset sale out of bankruptcy. While 23andMe has already resolved its financial restructuring, the remaining focus is on compensating data breach claimants and resolving disputes over legal fees.
The breach, disclosed in late 2023, exposed sensitive genetic and personal data of millions of users, raising concerns over privacy and cybersecurity risks. The settlements under review aim to address these claims, though the final approval process has faced scrutiny over fairness and transparency.
The judge’s upcoming ruling will determine the final terms of compensation and the allocation of legal costs, marking a critical step in resolving the fallout from one of the most significant genetic data breaches to date.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
APRIL 2023
747
Breach
29 Apr 2023 • 23andMe
23andMe, Inc.
Data Breach at 23andMe, Inc.
683
CRITICAL-64
23A328072725
The California Office of the Attorney General reported a data breach involving 23andMe, Inc. on January 21, 2024. The breach occurred on two dates: April 29, 2023, and September 27, 2023. The breach involved the unauthorized access to personal information of customers, including genetic data and other sensitive information. The incident highlights the vulnerability of genetic testing companies to cyber threats and the potential for significant data leaks.
INCIDENT DETAILS -
TYPE
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for 23andMe ??
What was 23andMe's A.I Rankiteo Cyber Score in June 2026 ??
What was 23andMe's A.I Rankiteo Cyber Score in May 2026 ??
What was 23andMe's A.I Rankiteo Cyber Score in April 2026 ??
What was 23andMe's A.I Rankiteo Cyber Score in March 2026 ??
What was 23andMe's A.I Rankiteo Cyber Score in February 2026 ??
What was 23andMe's A.I Rankiteo Cyber Score in January 2026 ??
What was 23andMe's A.I Rankiteo Cyber Score in December 2025 ??
What was 23andMe's A.I Rankiteo Cyber Score in November 2025 ??
What was 23andMe's A.I Rankiteo Cyber Score in October 2025 ??
What was 23andMe's A.I Rankiteo Cyber Score in September 2025 ??
What was 23andMe's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on 23andMe's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with 23andMe ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view 23andMe's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?