Chrome Holding Co., the company formerly known as 23andMe, is facing a lawsuit from California Attorney General Rob Bonta over a massive 2023 security breach that compromised millions of users’ genetic data. The lawsuit filed by Bonta accuses the company of misleading customers and failing to protect their sensitive personal information and genetic data related to health, genetic predispositions, biological relatives, ancestry and ethnicity.
The incident affected 7 million users across the US, including 855,541 California residents. 23andMe, which offered customers DNA testing kits to discover ancestral origins and genetic health risks, admitted that bad actors accessed user accounts through credential stuffing – a common cyberattack method using stolen passwords.
This lawsuit highlights the growing scrutiny of genetic testing companies and their data security practices. As DNA testing becomes more popular, the stakes for protecting this highly sensitive information continue to rise. Genetic data is particularly valuable to criminals because it can’t be changed like credit card numbers, making security breaches especially damaging for victims.
Bonta argues that companies handling genetic data should know to guard against credential stuffing attacks. In this case, hackers used credentials stolen from previous data breaches, including an attack on MyHeritage, another genealogy website that partnered with 23andMe. The lawsuit claims that despite knowing about the MyHeritage breach, 23andMe never checked or prevented users from reusing their compromised credentials – even though the company encouraged customers to sign up for MyHeritage accounts.
The attack involved multiple security failures. Hackers first used credential stuffing to break into 14,000 accounts, then exploited a vulnerability in the website’s DNA Relatives feature to access data from millions more customers. According to Bonta, the company’s security measures were so inadequate that hackers operated undetected for five months. The company only began investigating after the attackers started selling stolen user data on the dark web and demanding ransom payments.
The lawsuit also accuses 23andMe of downplaying the severity of the breach when notifying customers. Bonta claims the company omitted critical information and falsely suggested that the stolen DNA Relatives data was “essentially public.” Meanwhile, the company was secretly negotiating with hackers who were specifically highlighting data from Asian American, Pacific Islander, and Jewish users in their dark web sales listings.
“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence – and explicitly called attention to the deeply personal and identifying nature of that information,” Bonta wrote. “This is disturbing and incredibly dangerous.”
23andMe’s troubles have mounted since the breach. The company filed for bankruptcy in March 2025 and faced a separate class-action lawsuit from affected customers. A judge overseeing the bankruptcy proceedings approved a $50 million settlement earlier this year, though this new California lawsuit represents additional legal pressure on the struggling genetic testing company.