California AG Sues 23andMe Over Massive Data Breach Exposing Genetic and Personal Data of 7 Million Users
California Attorney General Rob Bonta has filed a lawsuit against genetic testing company Chrome Holding Co. (formerly 23andMe), alleging the company failed to protect sensitive customer data and misled the public about a 2023 data breach that compromised nearly 7 million users, including 855,541 Californians. The breach exposed highly personal information, including genetic health predispositions, ancestry details, family histories, and ethnicity data, which was later sold on the dark web.
The attack, which went undetected for five months, began when a threat actor used credential stuffing a method exploiting reused passwords from prior breaches, including a 2021 MyHeritage incident to access 14,000 23andMe accounts. The hacker then exploited a coding vulnerability in the company’s "DNA Relatives" feature, allowing them to scrape data from millions of users. The stolen information was later advertised for sale on the dark web, with sellers explicitly targeting Asian American, Pacific Islander, and Jewish users a particularly alarming detail given the rise in anti-AAPI and antisemitic hate crimes at the time.
Despite 23andMe’s public claims of robust security, the California Department of Justice’s investigation found the company ignored known vulnerabilities, failed to detect the attack for months, and neglected basic safeguards against credential stuffing. Even after the breach was exposed, 23andMe downplayed its severity, falsely asserting that no internal systems were compromised and that the stolen "DNA Relatives" data was effectively public. Meanwhile, the company was secretly negotiating a ransom payment with the hacker, who revealed multiple security flaws during the process.
The lawsuit alleges violations of California’s Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act, citing 23andMe’s failure to implement reasonable security measures and its deceptive statements about the breach. The case is separate from an ongoing bankruptcy dispute over the potential sale of Californians’ genetic data.
Chrome Holdings Ltd. cybersecurity rating report: https://www.rankiteo.com/company/chrome-holdings-ltd-
"id": "CHR1779992999",
"linkid": "chrome-holdings-ltd-",
"type": "Breach",
"date": "10/2023",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7,000,000 (855,541 '
'Californians)',
'industry': 'Healthcare / Biotechnology',
'location': 'California, USA',
'name': 'Chrome Holding Co. (formerly 23andMe)',
'type': 'Genetic Testing Company'}],
'attack_vector': 'Credential Stuffing',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '7,000,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (genetic and personal data)',
'type_of_data_compromised': ['Genetic health predispositions',
'Ancestry details',
'Family histories',
'Ethnicity data',
'Personally identifiable '
'information']},
'date_detected': '2023',
'description': 'California Attorney General Rob Bonta filed a lawsuit against '
'genetic testing company Chrome Holding Co. (formerly 23andMe) '
'for failing to protect sensitive customer data and misleading '
'the public about a 2023 data breach that compromised nearly 7 '
'million users, including 855,541 Californians. The breach '
'exposed genetic health predispositions, ancestry details, '
'family histories, and ethnicity data, which was later sold on '
'the dark web.',
'impact': {'brand_reputation_impact': 'Significant (allegations of deceptive '
'statements and security failures)',
'data_compromised': 'Genetic health predispositions, ancestry '
'details, family histories, ethnicity data, '
'personally identifiable information',
'identity_theft_risk': 'High (genetic and personal data exposed)',
'legal_liabilities': 'Violations of California’s Genetic '
'Information Privacy Act, Reasonable Data '
'Security Law, False Advertising Law, Unfair '
'Competition Law, and California Consumer '
'Privacy Act'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Credential stuffing (reused '
'passwords from prior breaches, '
'including 2021 MyHeritage incident)',
'high_value_targets': ['Asian American',
'Pacific Islander',
'Jewish users'],
'reconnaissance_period': 'Five months (undetected)'},
'investigation_status': 'Ongoing (lawsuit filed)',
'motivation': 'Data exfiltration and sale on dark web',
'post_incident_analysis': {'root_causes': ['Failure to implement basic '
'safeguards against credential '
'stuffing',
'Ignored known vulnerabilities',
'Delayed detection of the attack '
'(five months)',
"Coding vulnerability in 'DNA "
"Relatives' feature"]},
'ransomware': {'data_exfiltration': True,
'ransom_paid': 'Negotiated (details undisclosed)'},
'references': [{'source': 'California Attorney General Lawsuit'}],
'regulatory_compliance': {'legal_actions': 'Lawsuit filed by California '
'Attorney General',
'regulations_violated': ['California’s Genetic '
'Information Privacy Act',
'Reasonable Data Security '
'Law',
'False Advertising Law',
'Unfair Competition Law',
'California Consumer '
'Privacy Act']},
'response': {'communication_strategy': 'Downplayed severity, falsely asserted '
'no internal systems were compromised'},
'title': 'California AG Sues 23andMe Over Massive Data Breach Exposing '
'Genetic and Personal Data of 7 Million Users',
'type': 'Data Breach',
'vulnerability_exploited': "Coding vulnerability in the 'DNA Relatives' "
'feature'}