California Attorney General Rob Bonta has filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, alleging the company failed to implement reasonable security measures, resulting in a significant data breach in 2023 that impacted nearly 7 million users. The lawsuit claims the breach exposed sensitive genetic information, family histories, health conditions, and ancestry reports belonging to 850,000 Californians.
According to the lawsuit and multiple sources, the breach exploited credential stuffing attacks, leveraging stolen credentials obtained from prior data breaches, such as one involving MyHeritage. The vulnerability went undetected for five months before being discovered through listings on the dark web, where data targeting Asian-Pacific Islander and Jewish users was being offered for sale. This targeted nature of the data sales has raised significant concerns about potential misuse and discrimination.
The lawsuit asserts that 23andMe neglected critical security protocols, including the implementation of multifactor authentication and robust password reset procedures. The company also experienced a critical coding error in the ‘DNA Relatives’ feature, which further contributed to the exposure of raw genetic data. The breach’s impact extends beyond personal data, potentially revealing insights into family lineage and predisposition to certain health conditions.
23andMe, which filed for bankruptcy in 2025 and subsequently rebranded as Chrome Holding Co., is now facing legal repercussions for what the Attorney General’s office considers a systemic failure to protect user data. The lawsuit seeks damages and injunctive relief to ensure that Chrome Holding Co. implements stronger security measures to prevent future breaches. The incident underscores the growing importance of safeguarding sensitive genetic information and the need for greater corporate accountability in data security practices.
The timeline of events reveals that 23andMe confirmed the data breach in October 2023. The company’s failure to promptly address the vulnerabilities and notify affected users has been a key point of criticism. SecurityWeek reports that the dark web listings highlighting the stolen data were first observed recently, initiating a period of investigation and ultimately leading to the current legal action.
Sources: