California Sues 23andMe Over Massive Genetic Data Breach and Security Failures
California Attorney General Rob Bonta has filed a lawsuit against Chrome Holding Co. (formerly 23andMe Holding Co.) and its subsidiary ChromeCo, Inc. (formerly 23andMe, Inc.), alleging the company failed to protect the genetic data of nearly 7 million customers and misled the public about the severity of a 2023 breach. The complaint, filed on May 27, 2026, in San Francisco Superior Court, details a series of security lapses, a secret ransom payment, and deceptive public statements following one of the most sensitive data breaches in consumer genetics history.
The Breach: Five Months Undetected
The attack began in late April 2023, when a threat actor used credential stuffing exploiting reused passwords from previous breaches to access 14,000 23andMe accounts. The company had been aware of the 2017 MyHeritage breach, which exposed 92 million credentials, yet failed to cross-check its own customer accounts against known compromised passwords or enforce multi-factor authentication (MFA).
A coding error in 23andMe’s "DNA Relatives" feature allowed the attacker to extract data on 6.9 million users nearly half of its customer base. The breach exposed:
- Raw genetic data, health reports, and self-reported conditions (for 14,000 directly compromised accounts).
- Display names, birth years, ancestry reports, chromosomal data, and family tree links (for 5.5 million users via "DNA Relatives").
- Location data and relationship details (for 1.4 million users via "Family Tree").
Approximately 855,541 affected customers were California residents.
Missed Warnings and a Secret Ransom
Despite multiple red flags, 23andMe took no action:
- July 6, 2023: The company observed 1.3 million login attempts in a single day from one IP address five times the normal daily volume but did not investigate.
- August 11, 2023: A dark web post advertised stolen 23andMe data, and a Reddit user flagged the sale, but the company closed its investigation after just four days, concluding the data could have been obtained legitimately.
- October 1, 2023: A sample of stolen data including 1.1 million records targeting Ashkenazi Jewish and Asian-Pacific Islander users appeared online during a period of rising hate crimes.
23andMe publicly denied a breach on October 6, 2023, claiming it had "no indication" of a security incident. Meanwhile, the company was privately negotiating with the attacker, ultimately paying a $400,000 ransom in cryptocurrency between October 8–25, 2023. In exchange, the threat actor agreed to destroy the data, disclose vulnerabilities, and provide a cover story though it remains unclear whether the data was actually deleted.
Security Failures and Legal Consequences
The complaint outlines three major security failures:
- Failure to prevent credential stuffing – Despite years of industry warnings (including from the FTC, California AG, and CIS), 23andMe did not enforce MFA until November 2023 after the breach had already exposed millions.
- Coding error in "DNA Relatives" – A flaw allowed attackers to bypass restrictions and extract data on any opted-in user, not just genetic matches.
- Inadequate data protection policies – The company’s security framework did not specifically address genetic data, despite its permanent and immutable nature.
The lawsuit alleges violations of:
- Genetic Information Privacy Act (GIPA) – $1,000 per violation.
- California Consumer Privacy Act (CCPA) – Up to $7,500 per intentional violation.
- False Advertising Law & Unfair Competition Law – $2,500 per violation.
The Attorney General seeks injunctive relief, civil penalties, and equitable remedies, separate from 23andMe’s ongoing Chapter 11 bankruptcy proceedings.
Broader Implications
This case highlights California’s aggressive enforcement of privacy laws, particularly for genetic and health data, which cannot be reset like passwords or credit cards. The breach underscores the unique risks of genetic data not just for individuals, but for their biological relatives and the heightened security standards required for companies handling such sensitive information.
Source: https://ppc.land/california-sues-23andme-over-7-million-genetic-profiles-exposed-in-2023-breach/
Chrome Holdings Ltd. cybersecurity rating report: https://www.rankiteo.com/company/chrome-holdings-ltd-
"id": "CHR1780223128",
"linkid": "chrome-holdings-ltd-",
"type": "Breach",
"date": "5/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6.9 million users (855,541 '
'California residents)',
'industry': 'Biotechnology / Health Technology',
'location': 'United States',
'name': 'Chrome Holding Co. (formerly 23andMe Holding '
'Co.) / ChromeCo, Inc. (formerly 23andMe, '
'Inc.)',
'size': 'Large (millions of customers)',
'type': 'Consumer Genetics Company'}],
'attack_vector': 'Credential Stuffing',
'customer_advisories': 'Initial denial, later acknowledgment of breach',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '6.9 million users (1.1 million '
'records advertised on dark web)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (genetic and health data)',
'type_of_data_compromised': ['Raw genetic data',
'Health reports',
'Self-reported conditions',
'Ancestry reports',
'Chromosomal data',
'Family tree links',
'Display names',
'Birth years',
'Location data',
'Relationship details']},
'date_detected': '2023-07-06',
'date_publicly_disclosed': '2023-10-06',
'description': 'California Attorney General Rob Bonta filed a lawsuit against '
'Chrome Holding Co. (formerly 23andMe) alleging failure to '
'protect genetic data of nearly 7 million customers and '
'misleading the public about the severity of a 2023 breach. '
'The breach exposed raw genetic data, health reports, ancestry '
'information, and personal details through credential stuffing '
"and a coding error in the 'DNA Relatives' feature.",
'impact': {'brand_reputation_impact': 'Significant (misleading public '
'statements, delayed disclosure)',
'data_compromised': True,
'financial_loss': '$400,000 (ransom paid)',
'identity_theft_risk': 'High (genetic data, PII, health '
'information)',
'legal_liabilities': ['Violations of GIPA, CCPA, False Advertising '
'Law, Unfair Competition Law'],
'operational_impact': 'Investigation and remediation efforts, '
'enforcement of MFA post-breach',
'systems_affected': ['23andMe customer database',
'DNA Relatives feature',
'Family Tree feature']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Credential stuffing (reused '
'passwords)',
'high_value_targets': ['Ashkenazi Jewish users',
'Asian-Pacific Islander '
'users'],
'reconnaissance_period': 'April 2023 - October '
'2023'},
'investigation_status': 'Ongoing (lawsuit filed, bankruptcy proceedings)',
'lessons_learned': 'Need for stricter security measures for genetic data, '
'including MFA enforcement, regular credential '
'cross-checking, and specific data protection policies for '
'immutable genetic information.',
'motivation': ['Data Exfiltration', 'Financial Gain (Ransom)'],
'post_incident_analysis': {'corrective_actions': ['Enforced MFA',
"Fixed 'DNA Relatives' "
'feature vulnerability',
'Enhanced monitoring'],
'root_causes': ['Lack of MFA enforcement',
"Coding error in 'DNA Relatives' "
'feature',
'Failure to cross-check '
'credentials against known '
'breaches',
'Inadequate data protection '
'policies for genetic data']},
'ransomware': {'data_exfiltration': True,
'ransom_paid': '$400,000 (cryptocurrency)'},
'recommendations': ['Enforce MFA by default',
'Regularly cross-check customer credentials against known '
'breaches',
'Implement stricter access controls for genetic data '
'features',
'Develop specific security frameworks for genetic data',
'Improve incident response transparency'],
'references': [{'source': 'California Attorney General Complaint'},
{'source': 'Dark web post advertising stolen data'},
{'source': 'Reddit user flagging data sale'}],
'regulatory_compliance': {'legal_actions': ['Lawsuit filed by California '
'Attorney General (May 27, 2026)'],
'regulations_violated': ['Genetic Information '
'Privacy Act (GIPA)',
'California Consumer '
'Privacy Act (CCPA)',
'False Advertising Law',
'Unfair Competition Law']},
'response': {'communication_strategy': 'Initial denial of breach (October 6, '
'2023), later acknowledgment',
'containment_measures': ['Private ransom negotiation',
'Enforcement of MFA in November 2023'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ["Fixing coding error in 'DNA Relatives' "
'feature',
'Enhanced monitoring post-breach']},
'title': 'California Sues 23andMe Over Massive Genetic Data Breach and '
'Security Failures',
'type': 'Data Breach',
'vulnerability_exploited': ['Reused passwords from previous breaches',
"Coding error in 'DNA Relatives' feature",
'Lack of multi-factor authentication (MFA)']}