23andMe Sued by California Over 2023 Credential‑Stuffing Data Breach That Exposed Nearly 7 Million Users
California sues 23andMe (now Chrome Holding Co.) over a 2023 credential‑stuffing breach that exposed genetic and ancestry data of nearly 7 million customers.
A major data breach and a new lawsuit
23andMe, the consumer genetics testing company whose mail‑in kits once defined the direct‑to‑consumer DNA testing market, is the subject of a civil suit filed by California Attorney General Rob Bonta alleging the company failed to protect customers’ sensitive personal information during a large 2023 data breach. The complaint, filed in San Francisco Superior Court against Chrome Holding Co., the entity formerly known as 23andMe, accuses the company of failing to investigate and respond to warnings that its systems had been compromised and of allowing attackers prolonged access to customer data.
The case centers on a credential‑stuffing attack in 2023 that, according to the complaint, allowed intruders to access and exfiltrate the personal and genetic information of more than 6.9 million people. The Attorney General’s office says the intruders operated undetected inside 23andMe’s systems for over five months and that the company only began an investigation after the attacker offered the stolen data for sale on the dark web and contacted 23andMe with a ransom demand.
What 23andMe provided to customers
23andMe built its business around inexpensive mail‑in genetic test kits that let consumers submit a saliva sample and receive a report on ancestry, potential relatives and some genetic traits. At its height the service was widely recognized as one of the best‑known names in DNA self‑testing, with kits retailing for about $99 and the company raising profile and capital through a public offering in 2021 valued at roughly $3.5 billion. The service’s core value proposition was straightforward: customers sent genetic material and received an analysis that included ancestry breakdowns and possible connections to relatives.
How the attackers gained access and what was taken
The breach is described in the complaint as a credential‑stuffing attack — a technique that repurposes lists of username‑password pairs stolen from unrelated breaches and attempts to use them across multiple services. The Attorney General’s filing says that over a span of months attackers used this method to access accounts and extract data, ultimately obtaining personal and ancestry information for more than 6.9 million customers.
23andMe revealed publicly in October 2023 that hackers had accessed customer information during this prolonged intrusion, and that the attack had targeted customers with Chinese or Ashkenazi Jewish ancestry. The complaint notes that the stolen data for more than one million users of Asian‑Pacific Islander and Ashkenazi Jewish descent was subsequently posted for sale on the dark web. The Attorney General’s office highlighted the timing of that sale, saying it occurred during a period of rising anti‑Asian American and Pacific Islander and antisemitic hate and violence, and called the availability of that data “disturbing and incredibly dangerous.”
Allegations in the California lawsuit
Rob Bonta’s complaint accuses Chrome Holding Co. of failing to adequately investigate earlier warnings that its systems were compromised and of not taking effective steps to stop the intruder’s activity as it continued for months. The filing states the company’s security measures were insufficiently robust to detect and expel the attacker, and that meaningful investigative or remedial steps did not begin until the attacker tried to monetize the data by offering it for sale and demanding a ransom.
The suit seeks to hold the company accountable for its alleged failures to protect highly sensitive data tied to customers’ genetic information and ancestry. The Attorney General’s office framed the breach as not just a privacy violation but also a potential public safety concern because of how the compromised data intersected with identifiable demographic groups.
Earlier litigation and settlements tied to the breach
This lawsuit follows prior litigation alleging inadequate protections and disclosures. In January 2024, a separate lawsuit accused the company of not doing enough to protect customers and of failing to notify certain customers that they had been specifically targeted. That case was later resolved with a settlement of $30 million. The new action by the California Attorney General represents a distinct state enforcement effort focused on consumer protection and data security obligations.
Corporate trajectory after the breach
The data breach and subsequent legal and financial fallout coincided with a rapid change in 23andMe’s corporate fortunes. After its high‑profile public offering in 2021, momentum around the company slowed. According to the complaint and follow‑on reporting, the company eventually filed for bankruptcy in 2025. In the months after the bankruptcy filing, the company’s assets were acquired in a transaction last July by TTAM Research Institute, a nonprofit led by Anne Wojcicki, who co‑founded 23andMe and previously served as its CEO. That acquisition was completed for $305 million. The Attorney General’s lawsuit names Chrome Holding Co. as the defendant, the corporate identity the business now operates under.
Public safety and targeted exposures
The complaint underscores the sensitive nature of genetic and ancestry data and the potential harms that flow from its unauthorized disclosure. The Attorney General’s office called particular attention to the fact that the stolen data disproportionately affected users of Chinese or Ashkenazi Jewish ancestry and that the data sale coincided with a period of increased antisemitic and anti‑Asian violence. Those circumstances, the office said, elevated the gravity of the breach beyond typical privacy concerns into a realm of heightened risk for targeted groups.
What consumers and affected users should know
According to the information in the filing and 23andMe’s disclosures from October 2023, the breach affected millions of account holders on the company’s platform. The company previously disclosed that customers with certain ancestry markers were among those targeted and that data for over one million users from those ancestry groups appeared for sale online. Consumers who relied on 23andMe for ancestry information, genetic trait reports or relative matching were therefore among the impacted cohorts.
23andMe representatives did not immediately respond to requests for comment, per reporting accompanying the lawsuit filing.
Implications for data security, consumer genetics, and related industries
The California lawsuit and the facts it recounts speak to broader tensions facing businesses that store highly sensitive personal information and rely on account‑based access controls. Credential‑stuffing attacks leverage reused passwords and stolen credentials from unrelated breaches; they remain a persistent threat for platforms that authenticate users with usernames and passwords. The allegations that attackers were able to operate inside systems for months before the company mounted a substantive investigation highlight the importance of threat detection, log monitoring and rapid incident response capabilities for companies that handle sensitive biometric or genetic information.
For the consumer genetics space and adjacent sectors — including healthcare applications, research databases, and personal‑data driven services — the case emphasizes how data protection failures can produce reputational harm, regulatory enforcement, civil liability and downstream business consequences such as bankruptcy and asset sales. Developers and security teams building products that collect and analyze personal data face pressure to combine traditional defenses like multi‑factor authentication and credential hygiene with specialized protections for uniquely sensitive datasets.
Who can use services like 23andMe and what the service did
23andMe’s product was aimed at consumers seeking personal insights: individuals purchased kits, collected saliva samples, and mailed them to company labs for genotyping. The resulting reports offered users breakdowns of ancestry, possible connections to relatives, and certain trait or carrier‑status information. Pricing for kits was commonly cited around the $99 mark. The market for such services spans casual consumers, hobbyist genealogists, and people interested in family discovery; it also intersects with research and clinical communities for certain types of aggregated or consented data uses.
Why the case matters to businesses and regulators
The complaint filed by California’s Attorney General highlights the role of state regulators in enforcing data security protections and underscores that companies handling sensitive personal data can face legal consequences for failing to detect and respond to intrusions. The case will be watched by companies in consumer genetics, health tech and other data‑intensive fields as a potential bellwether for how state enforcement treats long‑running intrusions and alleged failures to act after being warned.
What the lawsuit alleges the company failed to do
Central to the Attorney General’s allegations is the claim that 23andMe did not properly investigate or respond to earlier warnings of compromise. The complaint says security measures were insufficient to detect and stop the attacker’s activities, that internal detection failed for an extended period, and that substantial data exfiltration occurred before the company took investigative or remedial steps. The filing also notes that the company’s public acknowledgment of the breach came in October 2023 and that the sale of stolen data later appeared on the dark web.
Regulatory and industry context for genetic data protection
Genetic and ancestry information raises distinct privacy and ethical questions because it is both highly personal and inherently shared across familial lines. Regulators and consumer protection authorities tend to treat genetic data as sensitive, and the California suit frames the problem in terms of consumer protection and potential harm to groups whose data was specifically implicated. For companies in genomics, health‑adjacent platforms, identity services and broader data ecosystems, the case signals heightened scrutiny of how credential reuse, authentication practices, and breach detection controls are implemented and overseen.
The incident also reminds businesses that data breaches can trigger layered consequences: civil suits from state attorneys general, class actions or settlements from affected users, reputational damage that depresses business prospects, and, in extreme cases, insolvency or asset sales.
Legal and practical next steps for affected parties
The California Attorney General’s filing begins a state enforcement action whose procedural arc will play out in San Francisco Superior Court. Prior litigation linked to the same breach produced a $30 million settlement in January 2024, but the new lawsuit represents a distinct effort by the state to seek accountability for alleged systemic failures in investigation and security. Affected customers and observers will be watching for any court findings about the adequacy of the company’s security posture and incident response, and for any remedial orders or penalties that might emerge from the case.
The complaint’s allegations and the earlier settlement demonstrate that companies facing similar incidents may need to plan for parallel regulatory and civil exposures, conduct thorough incident response and communication, and reassess identity and access controls to mitigate credential‑based attacks.
The reporting accompanying the filing notes that 23andMe did not immediately respond to requests for comment, and that the company’s assets were sold last July to TTAM Research Institute, a nonprofit led by Anne Wojcicki, for $305 million following the company’s bankruptcy filing in 2025.
Looking ahead, this lawsuit, settlements tied to the same breach and the company’s subsequent bankruptcy and asset sale together illustrate the potential for technical security failures to produce long‑lasting legal, financial and operational consequences for businesses that steward highly sensitive consumer data. The case will likely inform how regulators, corporate security teams and product designers think about authentication, detection and protections for biometric and genetic datasets in years to come.
