California Attorney General Rob Bonta filed a lawsuit Thursday against Chrome Holding Co., the company formerly known as 23andMe, over a 2023 data breach that exposed the genetic and personal information of nearly 7 million users across the U.S., including 855,541 Californians.
The complaint, filed in San Francisco Superior Court, alleges that 23andMe failed to implement reasonable security measures, ignored known vulnerabilities in its systems, and misled consumers about the severity of the breach. The lawsuit says 23andMe's conduct violated California's Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act.
Attackers gained entry by recycling login credentials harvested from earlier security incidents elsewhere on the web — among them a prior compromise of MyHeritage, a genealogy platform that had previously partnered with 23andMe — ultimately breaking into approximately 14,000 accounts through this technique, known as credential stuffing. What made this especially notable, according to the complaint, is that 23andMe had not only known about the MyHeritage incident but had actively steered its own customers toward creating accounts on that platform — yet it took no steps to detect or prevent those same credentials from being reused to log into 23andMe.
From that initial foothold of 14,000 compromised accounts, the attacker leveraged a flaw in the DNA Relatives feature — through which users could connect with genetic matches — to reach and extract data belonging to close to 7 million people in total. The stolen information included raw genetic data, ancestry reports, health predispositions, and details about biological relatives. Rather than detecting the intrusion through its own monitoring, the company launched its investigation only after being confronted with the threat actor's ransom demand and the appearance of stolen records listed for sale online — by which point the attacker had been moving freely inside its systems for more than five months.
Among the complaint's other allegations is that 23andMe engaged in covert negotiations with the attacker over a ransom payment even as it publicly denied that any security incident had occurred within its systems. The dataset put up for sale was marketed with explicit callouts to prospective buyers that it included records tied to AAPI and Jewish individuals — a targeting detail that Bonta flagged as particularly alarming given concurrent surges in hate crimes directed at those communities.
"23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach," Rob Bonta said in a statement.
The suit seeks civil penalties and injunctions against further privacy violations. This civil action runs parallel to a separate intervention Bonta has mounted in the company's bankruptcy proceedings, where he has sought to block the transfer of Californians' genetic data to any buyer emerging from the Chapter 11 process. A separate class-action case brought by affected customers was resolved when the total payout was increased to $50 million — up from an initial $30 million figure — with a federal bankruptcy judge signing off on that final amount earlier this year, according to ABC News.
