California sues former 23andMe over $50m genetic data breach
The state’s legal action targets the company’s handling of a 2023 breach that exposed 7 million users, including over 855,000 Californians, amid the firm’s 2025 bankruptcy proceedings.
California Attorney General Rob Bonta has initiated legal proceedings against Chrome Holding Co., the entity formerly known as 23andMe, regarding a 2023 data breach that compromised the sensitive genetic and personal information of 7 million users. The lawsuit alleges the company failed to protect data against credential stuffing attacks and exploited vulnerabilities in its DNA Relatives feature, allowing hackers to operate undetected for five months. The breach affected 855,541 California residents among the total user base impacted across the United States.
Bonta accuses the firm of misleading customers, downplaying the sensitivity of the stolen data, and omitting critical details regarding the sale of information on the dark web. The complaint highlights that the stolen data explicitly targeted Asian American and Pacific Islander, as well as Jewish users, during a period of mounting hate and violence against these groups. The Attorney General described the sale of this identifying information as disturbing and dangerous, noting the company’s failure to adequately warn users of the specific risks involved.
The lawsuit details how bad actors accessed user accounts through credential stuffing, utilising credentials stolen from previous breaches, including one on MyHeritage. Bonta argues that the company, which encouraged users to sign up for MyHeritage accounts, failed to check or prevent users from reusing credentials known to be compromised. After compromising 14,000 accounts via this method, hackers exploited a vulnerability in the website's DNA Relatives feature to access data from more customers.
Bonta alleges that 23andMe downplayed the sensitivity of the stolen data by claiming the DNA Relatives feature was "essentially public" while secretly negotiating with bad actors. The company only began investigating after the bad actors had already started selling stolen user data on the dark web and demanding a ransom. The Attorney General contends that the firm omitted critical information when informing customers about the breach, minimising the extent of the exposure.
23andMe filed for bankruptcy in March 2025. As part of the ongoing legal landscape surrounding the company, a judge overseeing the bankruptcy had approved a $50 million settlement earlier this year in a separate class-action lawsuit. The current action by the California Attorney General adds to the regulatory and financial pressures facing the rebranded entity as it navigates the aftermath of the significant security failure.
