California Attorney General Rob Bonta sued the genetic testing company formerly known as 23andMe on Thursday, accusing it of failing to protect sensitive user data in a 2023 breach that exposed information tied to nearly 7 million people across the country. The case lands after the company rebranded as Chrome Holding Co. following bankruptcy last March.
Bonta said the breach was not a narrow slip. It reached about 14,000 accounts, but attackers used those accounts to steal data belonging to nearly 7 million customers. In one attack path, they used credential stuffing with stolen login details, including credentials tied to a massive October 2017 breach at MyHeritage. The complaint says 23andMe never forced customers to reset passwords or turn on multifactor authentication after that earlier breach, leaving the door open for the 2023 intrusion.
The material at issue went well beyond names and email addresses. The lawsuit says the stolen data included raw genetic data, health reports, DNA shared with relatives, and the locations and birth years of relatives. It also says the information is especially sensitive because genetic data requires one of the highest levels of protection under California law, which imposes a heightened legal duty on companies that hold it.
That is why the breach has drawn fresh attention now. The suit says the company only started investigating after the stolen data was offered for sale on the dark web and the intruder demanded a ransom. By then, the complaint says, the threat actor had moved through 23andMe’s systems undetected for more than five months. The same filing says the company missed warning signs months earlier, including a suspicious spike in login attempts in July and a Reddit post in August that discussed a possible breach and the sale of user data.
In October 2023, the stolen data appeared for sale on the dark web, with a post that singled out about 1.1 million consumers whose data belonged to Asian-Pacific Islander and Ashkenazi Jewish users. The lawsuit also says 23andMe continued to minimize the breach after telling the public about it, even as the scope of the stolen material became clearer. Bonta called the case disturbing and incredibly dangerous.
The lawsuit seeks civil penalties and an injunction to block further violations of California’s privacy laws. For customers, the unresolved issue is not whether the data was exposed — it was — but how a company that marketed intimate genetic insight kept so little control over the same information once it was in its hands.
