California AG Sues 23andMe Successor Over 2023 Data Breach

California Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co., formerly 23andMe, alleging the company failed to protect sensitive user data in a 2023 breach that impacted nearly 7 million people.

The lawsuit seeks civil penalties and injunctions to prevent further violations of California's privacy protection laws.

Key Details

The breach occurred in 2023 and involved credential stuffing, a method that exploits weak or reused passwords. Attackers used stolen credentials from a 2017 MyHeritage breach; 23andMe did not require password resets or multifactor authentication.

The company detected the breach only after attackers offered data for sale on the dark web and demanded a ransom. Stolen data included raw genetic data, health reports, and family relationship information.

The lawsuit states that 23andMe ignored red flags, such as a spike in login attempts in July and a Reddit post about a breach in August. In October 2023, data appeared for sale, specifically targeting Asian-Pacific Islander and Ashkenazi Jewish users.

23andMe agreed to a $30 million class-action settlement, later raised to $50 million, which received final approval in January 2025.

Background

23andMe filed for bankruptcy in March 2025 and rebranded as Chrome Holding Co. The California Attorney General also intervened during bankruptcy to ensure compliance with the Genetic Information Privacy Act.

Statements

"The sale of genetic data on the dark web occurred amid rising anti-Asian and antisemitic hate, calling it 'disturbing and incredibly dangerous.'"
— Attorney General Rob Bonta

The lawsuit alleges that the company misled consumers about the severity of the breach. 23andMe did not immediately respond to a request for comment.