California Attorney General Files Lawsuit Against 23andMe Over 2023 Data Breach

Legal Action Against 23andMe

California's Attorney General Rob Bonta has taken significant legal steps against Chrome Holding Co., previously recognized as 23andMe, citing the company's inadequate protection of personal information belonging to nearly 7 million users in a major data breach that occurred in 2023. The breach, which was instigated by a credential-stuffing attack, compromised sensitive genetic and ancestral data.

Details of the Breach

The lawsuit, filed on Thursday in the San Francisco Superior Court, claims that 23andMe ignored multiple warnings about potential security vulnerabilities within its systems. This negligence allowed cyber criminals to operate undetected for over five months, during which they siphoned off personal data from the company’s database. The breach particularly affected users with Chinese and Ashkenazi Jewish ancestry, with over a million records later being discovered for sale on the dark web.

According to Bonta's office, "23andMe's security measures were so lax that the threat actor was able to operate undetected within 23andMe's systems for over five months." This revelation emerged only after the hackers began offering the stolen data for ransom, prompting 23andMe to commence an internal investigation.

Consequences and Public Safety Concerns

Bonta emphasized the alarming implications of such data exposure, stating, "The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence. This is disturbing and incredibly dangerous."

In a previous lawsuit filed in January 2024, 23andMe faced accusations regarding inadequate safeguards and a failure to notify affected customers about the data breach. The company ultimately settled this lawsuit for $30 million, further highlighting ongoing concerns regarding its data protection practices.

Company Background and Recent Developments

23andMe, once synonymous with consumer genetics testing and valued at $3.5 billion during its public offering in 2021, has seen a troubling decline in its operations, culminating in a bankruptcy filing in 2025. The company offered genetic testing kits that provided users with insights into their ancestry and health, a venture that many consumers embraced until recent controversies arose regarding data privacy and security.

In July 2025, the TTAM Research Institute, led by co-founder and former CEO Anne Wojcicki, acquired 23andMe’s assets for $305 million, indicating a shift in ownership amid ongoing scrutiny of the company’s practices.

Conclusion

With this lawsuit, the scrutiny around 23andMe's data security measures continues to intensify, raising critical questions about the company’s responsibilities to its users and the steps it will take in the future to protect sensitive personal information.