California Attorney General Rob Bonta has filed suit against the corporate successor to 23andMe over the 2023 data breach that exposed the genetic information of nearly seven million customers. The complaint, filed May 27, 2026 in San Francisco Superior Court against Chrome Holding Co., alleges the DNA testing company failed to implement reasonable security controls and made misleading statements about its security practices. With 855,541 Californians among the affected, statutory penalties could range from $1,000 to $7,500 per violation.
What Happened
Attackers used credential stuffing against 23andMe's login page beginning in 2023, leveraging passwords previously exposed in unrelated breaches. The intruders maintained access for roughly five months before detection. While the direct compromise was limited to about 14,000 accounts, attackers pivoted through the platform's DNA Relatives feature to scrape data on nearly seven million additional users. The lawsuit alleges a coding error in DNA Relatives exposed records belonging to any opted-in user, not just those connected to the compromised accounts. After disclosure, 23andMe sent victims' counsel a letter blaming users for password reuse and arguing the exposure would not cause "pecuniary harm," a position the AG now uses as evidence of misleading statements.
What Was Taken
The breach exposed genetic ancestry information, family relationship inferences, and account-linked profile data for just under seven million customers. Approximately 14,000 accounts were directly compromised via credential stuffing, while the remainder were exposed through the DNA Relatives feature. Stolen records were subsequently offered for sale on dark web markets, with sellers segmenting listings by ethnic origin, including records identified as belonging to Ashkenazi Jewish and Asian American Pacific Islander (AAPI) customers. Genetic origin was used as a marketing selling point for the data.
Why It Matters
Genetic data is functionally irrevocable. Unlike passwords or payment cards, customers cannot rotate their DNA, and the harm extends across biological relatives who never consented to the service. Bonta's office connected the targeted sale of ethnically segmented records to a documented rise in antisemitic violence at the time, framing the breach as a civil rights issue rather than a purely financial one. For defenders, the case sets a precedent that platform-side authorization flaws blamed on user password hygiene will not insulate operators from regulatory liability. The action against the bankrupt entity's successor also signals that state AGs will pursue post-bankruptcy shells to recover penalties.
The Attack Technique
The initial intrusion vector was unsophisticated credential stuffing, replaying username and password pairs leaked from prior third-party breaches against the consumer login page. 23andMe lacked sufficient anti-automation, rate limiting, or mandatory multi-factor authentication to block the attempts at scale. Once inside the 14,000 accounts, attackers leveraged DNA Relatives, a feature that links users to biological kin based on shared genetic markers, to enumerate connected profiles. According to the complaint, a coding error in that feature returned data on users beyond the immediate relatives of compromised accounts, allowing attackers to scrape millions of records over a roughly five-month dwell window without triggering detection.
What Organizations Should Do
- Enforce mandatory MFA on all consumer-facing authentication endpoints, with a preference for phishing-resistant factors for accounts holding sensitive PII or biometric data.
- Deploy credential-stuffing defenses including breached-password screening, device fingerprinting, velocity-based throttling, and CAPTCHA challenges on anomalous login patterns.
- Audit social, graph, or relationship features for authorization flaws that allow one compromised account to enumerate data belonging to unrelated users.
- Implement behavioral detection for slow, low-volume scraping consistent with five-month dwell scenarios, not just brute-force volume spikes.
- Treat genetic, biometric, and immutable identity data as a distinct data class with stricter retention limits, segmented storage, and elevated logging.
- Review external communications for statements that could be characterized as misleading by regulators, particularly post-incident victim notifications that minimize harm or shift blame to users.
Sources: 23andMe exposed genetic information of millions, lawsuit says | Malwarebytes