California sues former 23andMe over 2023 ancestry and genetic data breach
California is suing the consumer genetics company formerly known as 23andMe over its 2023 breach of ancestry and genetic data, one of the most consequential data breaches ever.
Attorney General Rob Bonta announced the lawsuit on Thursday against San Francisco-based Chrome Holding Co. for failing to protect customers' sensitive personal information, including heath data, genetic risk factors, biological relatives, ancestry, and ethnicity.
In October 2023, 23andMe disclosed a security incident that the company originally said affected only about 14,000 accounts at the time. However, through the company's opt-in DNA Relatives feature, hackers were able to scrape the profiles of nearly seven million people connected to the breached accounts, including about 855,000 Californians.
Severity of 23andMe data breach unlike others
While not the largest data breach in history, unlike other financial and identity data breaches that could be mitigated, genetic and ancestry data - including health information, DNA profiles, ethnicity and family tree details - cannot be replaced.
Bonta said the company violated California law requiring that the information is kept safe and lied to consumers about the severity of the data breach. The breach was discovered after the data of about a million people was put up for sale on the dark web, touted as belonging to Asian American and Pacific Islanders and Jewish users.
"Our investigation found that the company failed to take basic steps to protect users' data - data including the sensitive personal information, family histories, and health conditions of consumers," said Bonta in a statement. "The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence - and explicitly called attention to the deeply personal and identifying nature of that information.
23andMe data breach prompts lawsuits, bankruptcy
Multiple lawsuits against the company were filed across the U.S. in 2024 and consolidated into a federal lawsuit. In 2025, 23andMe filed for bankruptcy, restructured and became known as Chrome Holding Co., with the federal lawsuit becoming intertwined with the settlement process tied to the Chapter 11 proceedings. The bankruptcy has also highlighted the concern over what could happen to users' genetic data if the company's assets are sold or transferred.
23andMe was the first and one of the largest direct-to-consumer genetic testing companies in the world. Customers sent their saliva samples to 23andMe for DNA analysis, which the company said allowed users to discover.
Bonta said the company failed to take reasonable measures to protect its customers' most sensitive data, ignored known vulnerabilities in its systems, and failed to properly investigate or respond to numerous warnings that its systems had been compromised.
Use of common passwords enabled 23andMe data breach
The breach began with hackers stealing weak or commons passwords from another geneology company it partnered with, MyHeritage, and using those passwords to access 23andMe accounts. The lawsuit claims that although 23andMe's data security team was aware of the MyHeritage breach, the company never checked for or prevented credential reuse, even after the MyHeritage data breach.
Before the breach, 23andMe touted its security practices as meeting the highest industry standards. The lawsuit claims that after the breach, the company tried to hide and downplay both the breach's severity and its responsibility for it. Bonta said 23andMe violated California's Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act.
The lawsuit filed on Thursday is separate from another challenge by Bonta about the sale of Californians' genetic information and material in bankruptcy. Twenty-seven other states and Washington, D.C. are also challenging the legality of genetic data transfer during bankruptcy.
