California Sues 23andMe Over Breach That Exposed 7 Million Users

Key Takeaways

• California is suing 23andMe for failing to protect genetic data from 7 million users in a 2023 breach
• Hackers operated inside 23andMe systems for five months before the company investigated
• The stolen data included ancestry and health information, with hackers specifically targeting Asian American and Jewish user data

California Attorney General Rob Bonta has filed a lawsuit against Chrome Holding Co., the company formerly known as 23andMe, accusing it of failing to protect the sensitive genetic data of millions of customers. The lawsuit centers on a 2023 security breach that exposed health information, ancestry details, and genetic predispositions from 7 million users across the United States.

Of those affected, 855,541 were California residents. The state argues that 23andMe, which sold DNA testing kits to help people discover their ancestral origins and health risks, ignored basic security practices that should be standard for any company handling such personal information.

How the Breach Happened

The attack began with credential stuffing, a common method where hackers use username and password combinations stolen from other breaches to access accounts. In this case, attackers used credentials from previous data breaches, including one at MyHeritage, another genealogy website that 23andMe had partnered with.

Bonta's lawsuit points to a critical failure: 23andMe knew about the MyHeritage breach but never checked whether its own users were reusing those compromised credentials. This matters because 23andMe had actively encouraged customers to sign up for MyHeritage accounts.

“The company failed to take basic, industry-standard security measures to protect its customers' most sensitive personal and genetic information.”

— Rob Bonta, California Attorney General

The credential stuffing attack initially compromised about 14,000 accounts. But hackers then exploited a vulnerability in 23andMe's DNA Relatives feature, a tool that let users find biological relatives who had also taken the test. Through this feature, they scraped data from millions of additional users who had never had their accounts directly compromised.

Five Months of Undetected Access

One of the lawsuit's most damning allegations is that hackers operated inside 23andMe's systems for five months without detection. The company only began investigating after the attackers had already started selling stolen user data on the dark web and demanding ransom.

Bonta accused 23andMe of downplaying the breach when it finally notified customers. The company allegedly claimed that the DNA Relatives feature was "essentially public," minimizing the sensitivity of what had been stolen. Meanwhile, according to the lawsuit, 23andMe was secretly negotiating with the hackers.

Targeting Specific Communities

The lawsuit highlights a disturbing element of the breach. When hackers began selling the stolen data on the dark web, they specifically advertised the inclusion of information about Asian American and Pacific Islander users, as well as Jewish users.

Bonta noted that this sale occurred during a period of rising hate and violence against both communities. "This is disturbing and incredibly dangerous," he wrote in the complaint, pointing to how the hackers "explicitly called attention to the deeply personal and identifying nature of that information."

The Company's Decline

23andMe's fall has been steep since the breach. The company filed for Chapter 11 bankruptcy in 2025 and rebranded as Chrome Holding Co. A nonprofit entity associated with co-founder Anne Wojcicki purchased the company. The lawsuit now targets this new corporate structure.

In 2024, 23andMe agreed to a $30 million class-action settlement related to the breach. But California's lawsuit suggests that wasn't enough accountability for the company's security failures.

What This Means for Genetic Data Companies

The lawsuit raises broader questions about how companies handling genetic data should be regulated. Unlike a credit card number, which can be changed after a breach, genetic information is permanent. Once exposed, it cannot be undone.

Bonta's complaint argues that companies collecting such sensitive data should be held to higher security standards. Basic protections like checking for reused credentials from known breaches, he argues, should be non-negotiable.

Community Reaction

Online discussions about the lawsuit have been skeptical of whether legal action will produce meaningful consequences. Many commenters point out that 23andMe has already filed for bankruptcy, limiting what California can actually recover. The $30 million class-action settlement from 2024 struck some as insufficient given the scope of the breach.

Others expressed frustration that major data breaches consistently result in what they see as token penalties. The debate reflects broader concerns about whether current legal frameworks can adequately punish companies for security negligence.

Frequently Asked Questions

What data was stolen in the 23andMe breach?

Hackers accessed genetic data, health information, genetic predispositions and risk factors, ancestry and ethnicity details, and information about users' biological relatives.

How did hackers access 23andMe accounts?

They used credential stuffing, trying username and password combinations stolen from other breaches. After accessing 14,000 accounts, they exploited the DNA Relatives feature to scrape data from millions more users.

What is Chrome Holding Co.?

Chrome Holding Co. is the new name for 23andMe after the company filed for Chapter 11 bankruptcy in 2025 and was purchased by a nonprofit entity associated with co-founder Anne Wojcicki.

What does California want from this lawsuit?

The lawsuit accuses the company of misleading customers and failing to protect sensitive information. Specific penalties will be determined by the court, but the state aims to hold the company accountable for its security failures.

Can affected users still take action?

A $30 million class-action settlement was reached in 2024. California residents affected by the breach should check whether they were included in that settlement or may have additional legal options.

Source: Engadget