California sues – California’s attorney general sued the genetic testing company formerly known as 23andMe, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people nationwide. The lawsuit says the company’s lax security let attac
LOS ANGELES — The state’s case starts with a familiar pattern: stolen credentials, a quiet window of access, and data that doesn’t disappear once it’s taken.
On Thursday. California Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co. the company behind 23andMe after it rebranded following bankruptcy filed last March. The suit alleges that 23andMe failed to protect sensitive user data during a 2023 breach that affected nearly 7 million people across the country.
23andMe. known for direct-to-consumer DNA test kits that provide customers information on their ancestry and genetic predispositions for certain health conditions. acknowledged that the breach occurred in 2023. Prosecutors say about 14. 000 accounts were accessed. and through those accounts. attackers were able to steal the data of nearly 7 million customers.
The cyberattack, the complaint says, relied on “credential stuffing” — a method that takes advantage of customers’ tendency to use weak or common passwords or to reuse passwords between multiple accounts.
Bonta’s office is asking for civil penalties and court injunctions meant to block the company from further violations of California’s privacy protection laws. In the lawsuit, the state frames the central failure as preventable: the attack was one businesses should have known how to defend against.
The complaint says the attackers used stolen user account credentials. including ones from a massive data breach in October 2017 that affected MyHeritage. one of 23andMe’s former partners. After that earlier breach. the state alleges 23andMe did not take common protective protocols such as asking customers to reset their passwords or using multifactor authentication.
The timeline described in the complaint is especially stark. Prosecutors say 23andMe’s security measures were so lax that the threat actor was able to operate undetected within the company’s systems for over five months. They also say the company only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom.
In October 2023. the stolen data appeared for sale online. with the poster specifically touting that about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users. In a press release. Bonta said the sale happened during a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence. “This is disturbing and incredibly dangerous,” he said.
The lawsuit says some of the stolen information included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.
After the public learned of the breach, the state argues, the story didn’t just involve what was taken. It also involved how 23andMe described it. The lawsuit says that after notifying the public about the breach. 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it.
23andMe. for its part. has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. The lawsuit disputes that account by pointing to alleged red flags that appeared months earlier. including a “suspicious spike in user login attempts” in July and a Reddit post in August that discussed a possible breach and sale of user data.
Genetic data, the complaint says, requires “one of the highest levels of protection.” It also says California law mandates a heightened legal obligation to protect genetic information.
The state’s involvement doesn’t end with the breach. Bonta also intervened during 23andMe’s Chapter 11 bankruptcy and asset sale. arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. The lawsuit notes that the sale was allowed to proceed.
The case now moves into the courts, with Bonta’s demand aimed at both accountability and limits — a push to prevent what he alleges was a preventable failure from happening again.
California Rob Bonta 23andMe Chrome Holding Co. genetic testing data breach 2023 credential stuffing Genetic Information Privacy Act dark web MyHeritage Chapter 11 bankruptcy
So they’re suing like it wasn’t their customers’ passwords too?
I always knew those DNA tests were sketchy. Like why do they even need all that data anyway. nearly 7 million?? that’s insane.
Wait I thought 23andMe already fixed all that after bankruptcy. Also “credential stuffing” sounds like something from a movie lol. If they were hacked in 2017 creds too then it’s basically just a domino effect, not their fault right?
Rob Bonta going after them makes sense but I’m confused… rebranded after bankruptcy? so who even owns them now? If attackers got in through stolen credentials, then why didn’t 23andMe just require stronger passwords or MFA? Hope they shut them down for real, because data shouldn’t follow people forever.