California Attorney General Rob Bonta filed suit on May 27, 2026, against Chrome Holding Co., the corporate entity managing 23andMe's remaining assets after bankruptcy, alleging security failures and deceptive practices related to a 2023 data breach. The complaint accuses the DNA testing company of failing to implement reasonable security measures and violating multiple state privacy and consumer protection laws while making misleading statements about its security practices.
The 2023 breach began with credential stuffing attacks against 23andMe's login page, where attackers used previously compromised usernames and passwords from other sites. While only approximately 14,000 accounts were directly compromised, attackers operated undetected within the systems for roughly five months. The intruders then exploited the DNA Relatives feature, which allows users to find biological connections through DNA similarity, to access data from nearly 7 million customers.
According to the lawsuit, a critical coding error in the DNA Relatives feature enabled attackers to scrape data from millions of users connected by biological kinship to the compromised accounts. The stolen genetic information revealed individuals' genetic origins and was reportedly sold on the dark web with targeting options for specific ethnic groups, including Asian American Pacific Islander and Jewish customers. Following the breach disclosure, 23andMe sent a letter to victims' legal representatives blaming users for password reuse and claiming the exposed data would not cause financial harm, statements that California now cites as evidence in its case.
The breach affected 855,541 California residents, and the state is seeking statutory penalties ranging from $1,000 to $7,500 per violation. However, recovery remains uncertain as 23andMe filed for Chapter 11 bankruptcy in March 2025 and sold most assets, including genomic data from over 15 million customers, to TTAM Research Institute for $305 million. Other regulators have already collected penalties, including a £2.31 million fine from the UK Information Commissioner's Office and a $50 million class-action settlement approved in January 2026 covering most US customer claims.
Affected customers should immediately reset any passwords reused across multiple sites and enable multi-factor authentication on all accounts where available. Users should also watch for phishing attempts referencing 23andMe or the breach. Unlike traditional data breaches where compromised information can be changed, stolen genetic data sold on the dark web cannot be recovered or altered, representing a permanent privacy loss that highlights the unique risks of DNA testing services.
Source: https://www.malwarebytes.com/blog/data-breaches/2026/06/23andme-exposed-genetic-information-of-millions-lawsuit-says