California Sues 23andMe Over 2023 DNA Breach Affecting 7 Million

California Attorney General Rob Bonta filed a lawsuit on May 28, 2026, against the company formerly known as 23andMe — now operating under the name Chrome Holding Company after filing for bankruptcy — alleging the genetic testing firm failed to implement basic security safeguards before a 2023 data breach exposed the DNA profiles and personal information of approximately 7 million users nationwide, including 855,541 Californians. The 23andMe data breach, executed via a credential stuffing attack (where hackers use previously stolen username-password pairs to break into accounts), resulted in one of the largest exposures of biometric genetic data in U.S. history.

// 01 23andMe Data Breach: Technical Details

The 2023 23andMe breach unfolded in a sequence of failures that the California lawsuit argues were both foreseeable and preventable. The attackers exploited a foundational weakness: 23andMe allowed users to log in with credentials that had been compromised in previous third-party breaches.

The specific vector was credential stuffing — a technique (MITRE ATT&CK T1110.004 — Credential Stuffing) where attackers take large lists of username-password combinations leaked from unrelated breaches and systematically try them against other services. In this case, the lawsuit alleges that 23andMe's authentication systems accepted credentials from the 2017 MyHeritage breach, which exposed over 92 million user accounts from a former 23andMe partner. Users who recycled the same password across both services were immediately vulnerable.

What compounded the breach was 23andMe's "DNA Relatives" feature — a service that lets users opt in to see genetic relatives who are also 23andMe customers. Once attackers gained access to approximately 14,000 individual accounts through credential stuffing, they used the DNA Relatives feature to "scrape" (automatically extract at scale) genetic ancestry data, health predispositions, and personal information from the profiles of roughly 7 million connected users. A user who had never been credential-stuffed could still have their data stolen if a distant relative's account was compromised.

The lawsuit identifies at least two specific red flags that 23andMe detected but failed to act on:

• A suspicious spike in user login attempts in July 2023 — a textbook indicator of an active credential stuffing campaign
• A Reddit post in August 2023 discussing a possible breach and the sale of 23andMe user data on criminal forums

Despite both signals, 23andMe did not prompt users to reset passwords or enforce multifactor authentication (MFA — a security control requiring a second verification step beyond a password). The breach was publicly confirmed only in October 2023.

// 02 Exploitation Status and Legal Landscape

The California AG's lawsuit alleges violations of five state laws:

• California Genetic Information Privacy Act (GIPA) — which mandates specific protections for genetic data, a category considered more sensitive than standard personal information because it is immutable and reveals information about entire biological families
• California Reasonable Data Security Law — requiring companies to implement "reasonable" security measures commensurate with the sensitivity of the data they collect
• False Advertising Law — based on allegations that 23andMe mislead consumers about the security of their genetic information in marketing materials
• Unfair Competition Law (UCL) — for engaging in unlawful, unfair, and fraudulent business practices related to data security
• California Consumer Privacy Act (CCPA) — California's landmark consumer privacy law granting residents rights over their personal data and requiring businesses to protect it

The CCPA (California Consumer Privacy Act — a 2020 law giving California residents the right to know what data companies collect, to delete it, and to opt out of its sale) is particularly significant because it carries statutory damages of $100 to $750 per consumer per incident, which at 855,541 affected Californians could represent substantial liability — potentially exceeding $600 million if maximum per-consumer penalties were applied.

23andMe filed for bankruptcy in March 2025 and was subsequently acquired and rebranded as Chrome Holding Company, which the California AG's office named as the defendant. The company's bankruptcy proceedings complicate enforcement, as California's ability to recover damages may be limited by the claims process. The lawsuit also raises questions about what happens to the genetic data of millions of users when a data company goes bankrupt and is sold.

// 03 Who Is Affected

Individual consumers affected by the 23andMe data breach face a uniquely serious harm: genetic data, unlike a password or credit card number, cannot be changed. Exposed information includes:

• DNA ancestry composition — ethnic and geographic origin profiles
• Health predispositions — risk scores for conditions including certain cancers, heart disease, and hereditary disorders
• Relative matching data — which reveals information about family members who may never have consented to DNA testing
• Account profile information — names, birth years, geographic locations

The 7 million exposed users were not all directly credential-stuffed — most had their data scraped through the DNA Relatives feature from the approximately 14,000 accounts that were directly compromised. This illustrates a systemic risk in social-genomics platforms: the security of your genetic profile depends not only on your own account security, but on the security of every distant relative who opted into sharing features.

California's 855,541 directly affected residents have the clearest legal standing under CCPA and the state's Genetic Information Privacy Act. Other affected users in different states may have claims under state breach notification laws or the Federal Trade Commission Act.

// 04 What You Should Do Right Now

• 23andMe users: delete your data now. Even if you no longer use the service, your genetic profile may still be stored. Navigate to your account settings → 23andMe Data → Request Data Destruction. Given the bankruptcy, there is significant uncertainty about how your data will be handled in asset transfers.
• Request your data export first. Before deletion, download a copy of your raw genetic data file in case you need it in the future.
• Change your password immediately on any service that shares credentials with your 23andMe account. Use a password manager to generate unique passwords for every service.
• Enable multifactor authentication on all sensitive accounts — the breach directly exploited the absence of MFA enforcement on a platform holding biometric data.
• Monitor for genetic data misuse. There is no practical "credit freeze" equivalent for genetic information, but affected users should be alert to targeted phishing that references their health conditions or family history.
• Check data broker opt-outs. If your genetic ancestry data was sold or transferred, it may appear in data broker databases. Services like DeleteMe or Privacy Bee can help remove records from known brokers.

// 05 Background: Understanding the Risk

The 23andMe breach occupies a distinct category of severity from conventional data breaches because of the nature of the data exposed. Financial account credentials can be reset. Credit cards can be reissued. Social Security numbers, while serious, primarily enable identity fraud in financial contexts. Genetic data is different: it is permanent, inherited, and shared across biological families.

When 23andMe users opted into the DNA Relatives feature, they implicitly accepted that their genetic profile could be matched against other users — but they did not consent to that data being harvested by criminals at scale. The California Genetic Information Privacy Act (GIPA) was specifically designed to create a higher duty of care for companies handling this uniquely sensitive category of biometric information, recognizing that genetic data reveals far more about a person than conventional personal information.

The security failure at its core was mundane: 23andMe did not require users to reset passwords after the MyHeritage breach in 2017 — a six-year window during which millions of 23andMe accounts were accessible to anyone with the corresponding MyHeritage credentials. Industry standard practice after a partner or related-service breach is to prompt all users to change their passwords and strongly encourage MFA enrollment. 23andMe did neither.

The bankruptcy complicates the legal picture significantly. California's lawsuit seeks injunctive relief and civil penalties, but as a general unsecured creditor of Chrome Holding Company, the state's ability to collect damages will depend on the bankruptcy court's priority ordering. More critically, the fate of the genetic profiles of 15+ million 23andMe users — including those whose data was not part of the 2023 breach — remains uncertain as the company's assets are administered in bankruptcy proceedings.

This case sets a precedent for how state attorneys general can use existing consumer protection and genetic privacy laws to pursue accountability for biometric data breaches, even when the responsible company no longer exists in its original form.

// 06 Conclusion

California's lawsuit against Chrome Holding Company (formerly 23andMe) over the 2023 credential-stuffing breach that exposed 7 million users' DNA profiles marks a significant escalation in state-level enforcement of genetic privacy law. The case demonstrates that standard security controls — password resets after partner breaches, enforced MFA on high-sensitivity accounts, anomaly detection on login spikes — are not optional for platforms holding biometric data. Current 23andMe users should immediately request data deletion, export their raw data, and rotate any recycled passwords. The outcome of this litigation will shape data security obligations for the growing direct-to-consumer genomics industry.