California AG Sues 23andMe Successor Chrome Holding Over 2023 Data Breach Affecting 7 Million Users

The corporate debtor name used by 23andMe during its bankruptcy, alleging the company failed to protect sensitive genetic data in a 2023 breach that affected nearly 7 million people nationwide, including more than 850,000 Californians. The complaint, filed in San Francisco Superior Court, states that hackers accessed approximately 14,000 accounts through credential stuffing and obtained raw genetic data, health reports, DNA shared with relatives, locations and birth years of relatives, ancestry, ethnicity, and genetic predispositions and risk factors.

The breach exposed personal information belonging to Asian-Pacific Islander and Ashkenazi Jewish users that later appeared for sale on the dark web.

Bonta said the company failed to take basic steps to protect users' data. “23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach,” he stated.

The lawsuit alleges that 23andMe did not require customers to reset passwords or implement multifactor authentication after a 2017 MyHeritage breach that exposed credentials later used in the attack.

A suspicious spike in login attempts occurred in July 2023 and a Reddit post discussed a possible breach in August 2023, yet the company only began investigating after the data was offered for sale and a ransom was demanded. The threat actor operated undetected within 23andMe’s systems for over five months, according to the California Department of Justice investigation cited in the complaint.

After notifying the public in October 2023, the company continued to mislead consumers about the breach’s severity and its own role, the lawsuit states.

Chrome Holding Co. is a subsidiary of TTAM Research Institute, the nonprofit led by former 23andMe CEO Anne Wojcicki that acquired the company after its March 2025 bankruptcy filing. Bonta had intervened in the Chapter 11 proceedings to ensure genetic data would not be mishandled, citing California’s Genetic Information Privacy Act, which requires opt-in consent before selling such information to third parties.

The bankruptcy sale was allowed to proceed. 23andMe was founded in San Francisco in 2006 and had collected around 15 million DNA samples by the time of its bankruptcy filing. In 2024 the company agreed to a $30 million class-action settlement over the breach; the amount was later raised to $50 million and received final approval in January from a federal judge overseeing the bankruptcy.

31 million last year after finding that personal data of 155,592 UK residents was accessed. The ICO investigation, conducted in coordination with Canada’s privacy commissioner, determined that 23andMe violated UK law by failing to implement appropriate authentication measures.

Bonta said the sale of the data on the dark web was “disturbing and incredibly dangerous” given it occurred during a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence.

The lawsuit seeks civil penalties and injunctions to block further violations of California privacy laws.