California sues 23andMe over 2023 data breach that affected 7 million users

• News

Rob Bonta accused the company, now called Chrome Holding Co., of failing to protect users’ sensitive information.

Chrome Holding Co., the company formerly known as 23andMe, is facing a lawsuit filed by California Attorney General Rob Bonta over a massive security breach in 2023 that compromised millions of people's sensitive data. Bonta is accusing the company of misleading customers and failing to protect their "sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry and ethnicity." The incident had affected 7 million users across the US, the lawsuit said, 855,541 whom were California residents. 

23andMe, which offered customers DNA testing kits so they can find out their ancestral origins and genetic health risks, admitted back in 2023 that bad actors were able to access users' accounts through credential stuffing. Bonta argued that companies, especially one that collects genetic data, should know to guard against such a common method of cyberattack. 

In 23andMe's case, the hacker apparently used credentials stolen in previous data breaches, including from an attack on MyHeritage, another genealogy website that 23andMe worked with. Bonta says that even though 23andMe was aware of the breach on MyHeritage, it never checked or prevented users from reusing their credentials. That's particularly noteworthy, because 23andMe allegedly encouraged its users to sign up for a MyHeritage account, as well. 

It wasn't just credential stuffing that allowed the bad actors to steal millions of private information. After using the attack method to break into 14,000 accounts, they then exploited a vulnerability in the website's DNA Relatives feature to access data from more customers. Bonta said the company's security measures were so lax, the hackers were able to operate undetected inside its system for five months. He added that the company only started investigating after the bad actors had already started selling stolen user data on the dark web and demanding a ransom. 

Bonta accused 23andMe of omitting critical information when it informed customers about the  breach. He said the company downplayed the sensitivity of the stolen data and claimed that the DNA Relatives feature was "essentially public," all while it was secretly negotiating with the bad actors who were highlighting the inclusion of information about Asian American and Pacific Islanders, as well as Jewish users, in the dataset they were selling. 

"The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly called attention to the deeply personal and identifying nature of that information," Bonta wrote. "This is disturbing and incredibly dangerous."

23andMe filed for bankruptcy in March 2025. As AP notes, it also faced a class-action lawsuit that accused the company of failing to protect its customers, and a judge overseeing its bankruptcy had approved a $50 million settlement earlier this year.