// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRC-newsDTG 0600Z
Breach Record

23andMe

DISCLOSED 2026-06-01 · STOLEN CREDS · 7,000,000 RECORDS EXPOSED

California's Attorney General has sued 23andMe over a 2023 data breach that exposed sensitive health data of nearly 7 million customers. The breach, which came to light in October 2023, involved threat actors selling stolen records. The incident affected 855,541 Californians.

The record

What we know

Disclosed
2026-06-01
Attack vector
Stolen Creds
Sector
biotechnology
Country
US
Records exposed
7,000,000
Domain
23andme.com
Data classes exposed
health datasensitive information
ColdRecon assessment

Could a positive-security control have prevented this?

Verdict · unclear · opinion

The article does not provide enough technical details about the attack to determine if a positive-security model would have prevented it.

Our assessments are opinion, grounded in the cited public facts. Read them critically.

Sources

Cited reporting

Similar vector · recent

Other stolen creds breaches on file

This page is the permanent ColdRecon entry for the 23andMe disclosure. It updates if new public reporting emerges. All tracked breaches →

23andMe just lived through this. Your next prospect doesn't have to.

ColdRecon turns every disclosed breach into a daily intelligence brief from the seller's seat — normalized to the factors that move a deal, written in the Handler's voice. Request clearance and the first lands tomorrow at 0600.

Request Clearance →