California Sues 23andMe Over 2023 Data Breach Exposing Genetic Data of 6.9 Million Users
California Attorney General Rob Bonta has sued 23andMe, now Chrome Holding Co., alleging the company failed to implement basic security measures like multi-factor authentication, leading to a 2023 credential-stuffing attack that compromised 6.9 million user accounts.
California Attorney General Rob Bonta filed a lawsuit on May 29, 2026, against Chrome Holding Co., the entity that 23andMe rebranded under after filing for bankruptcy in March 2026. The lawsuit alleges that the genetic testing company failed to protect user data in a 2023 breach that exposed sensitive genetic and personal information of millions of users.
The breach, which occurred in October 2023, was the result of a credential-stuffing attack. Attackers used usernames and passwords stolen from other platforms to access 23andMe accounts, exploiting the company's failure to implement multi-factor authentication (MFA). The lawsuit claims that 23andMe knew about the risk of credential-stuffing attacks but did not take adequate steps to prevent them.
The compromised data included ancestry information, health-related genetic reports, and personal details such as names, birth years, and geographic locations. Attackers specifically targeted users of Ashkenazi Jewish and Chinese descent, aggregating and selling the data on underground forums. In total, 6.9 million user accounts were affected, representing nearly half of 23andMe's customer base at the time.
The state of California is seeking civil penalties and injunctive relief under the California Consumer Privacy Act (CCPA) and other state consumer protection laws. The lawsuit argues that 23andMe's failure to secure sensitive genetic data constitutes a violation of users' privacy rights and state regulations. The case highlights the unique risks associated with genetic data, which cannot be changed like a password once exposed.
23andMe's financial troubles have compounded the fallout from the breach. The company filed for Chapter 11 bankruptcy in March 2026, citing mounting legal costs and declining revenue. The rebranding to Chrome Holding Co. was part of a restructuring effort, but the lawsuit underscores that the company's legal liabilities persist. The California Attorney General's office has indicated that it will pursue the case aggressively, regardless of the company's bankruptcy status.
This lawsuit is one of several legal actions stemming from the 2023 breach. A class-action lawsuit filed by affected users is ongoing, and federal regulators, including the Federal Trade Commission, have also investigated the incident. The case serves as a cautionary tale for companies handling sensitive biometric and genetic data, emphasizing that failure to implement basic security measures like MFA can lead to catastrophic data exposure and significant legal consequences.
The lawsuit, filed against Chrome Holding Co. (formerly 23andMe), alleges that the company misled customers by downplaying the sensitivity of stolen data and blaming victims for reusing passwords, while simultaneously negotiating a ransom payment with the threat actor. The California AG's office also revealed that 23andMe failed to detect the intrusion for five months and still does not mandate multi-factor authentication by default. The 23andMe Research Institute, which now operates the platform, distanced itself from the lawsuit, stating it was not involved in the events described.
The lawsuit, filed by California AG Rob Bonta, specifically alleges that 23andMe violated the California Genetic Information Privacy Act, the California Reasonable Data Security Law, and the CCPA, among others. The complaint seeks civil penalties of $1,000 to $7,500 per violation and an injunction to prevent further violations. Bonta also criticized the company for misleading public statements before and after the breach, including downplaying the severity and blaming customers for password reuse.