California Attorney General Rob Bonta recently announced that he filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to take “basic steps” to protect consumers’ sensitive data, including genetic data and personal information regarding their health, ancestry, and ethnicity. The suit arises from a 2023 data breach that affected nearly 7 million users across the United States, including 855,541 California residents. The breach involved a threat actor who used a well-known “credential stuffing” cyberattack to access approximately 14,000 customer accounts and then exploited a critical coding error in 23andMe’s “DNA Relatives” feature to steal data for millions of additional users. The threat actor allegedly operated undetected within 23andMe’s systems for more than five months and was able to steal personal data, including ancestry reports, ethnicity information, genetic relationship data, and in some cases raw DNA.
According to the complaint, which was filed on May 27, 2026, the company only started investigating the breach after the stolen data was offered for sale on the dark web and the attacker demanded a ransom. The threat actor allegedly threatened to sell targeted data belonging to Asian American and Pacific Islander and Ashkenazi Jewish users during a period of heightened hate and violence against those communities. The company ultimately paid the threat actor $400,000 in cryptocurrency, according to the complaint. The ransom was allegedly paid in exchange for help remediating the breach, which included deleting the stolen data, removing damaging posts from the internet, disclosing the system vulnerabilities that were found, and providing a cover story that mitigated the severity of the breach.
The complaint alleges that 23andMe ignored known vulnerabilities before the breach and made misleading public statements both before and after the breach. The company is also accused of downplaying the severity of the breach, shifting blame to its customers, and secretly negotiating a ransom payment while assuring the public that no data security incident had occurred within its systems. State prosecutors also accuse 23andMe of not taking basic, reasonable steps to secure consumers’ sensitive data by failing, among other things, to require multi-factor authentication and screen customer passwords against known breached credentials, and for maintaining a standard security policy that failed to account for the unique privacy risks associated with genetic data or ancestry research. According to the AG’s Office, the defendant’s actions violated California’s Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act.
The AG’s Office also emphasized that this action is separate from the Attorney General’s pending challenge in U.S. Bankruptcy Court regarding the sale of Californians’ genetic information and material in bankruptcy.
California AG Press Release | Complaint