California Attorney General Rob Bonta today filed a lawsuit against Chrome Holding Co. - formerly known as 23andMe Holding Co. - and its subsidiary ChromeCo, Inc., alleging that the once-prominent direct-to-consumer DNA testing company failed to safeguard the genetic data of nearly 7 million customers and then misled the public about the severity of what happened. The complaint, filed May 27, 2026 in San Francisco Superior Court under case number CGC-26-636891, lays out a detailed picture of security failures that stretched across months, a secret ransom payment to hackers, and a series of public statements that obscured the company's own role in one of the most sensitive data breaches in consumer genetics history.

People v Chrome Holding fka 23andMe et al. - Stamped Complaint
People v Chrome Holding fka 23andMe et al. - Stamped Complaint.pdf
484 KB
download-circle

A company built on trust over DNA

Founded in 2006 in San Francisco under the name 23andMe, Inc., the company repositioned as a holding structure in 2021 and changed its legal name to Chrome Holding Co. in 2025, with the operating subsidiary renamed ChromeCo, Inc. At its peak, 23andMe served approximately 15 million customers worldwide. A substantial portion resided in California.

The business model was simple on the surface: customers mailed in a saliva sample, 23andMe extracted the DNA, and the company returned reports covering ancestry compositionhealth predispositions, carrier status for genetic conditions, and information about biological relatives. Customers could opt into a feature called "DNA Relatives," which showed them other users who shared segments of their genome, and allowed them to communicate with those matches. A connected "Family Tree" feature let users build and share genealogical records.

The data underlying these features is among the most sensitive any company can hold. Genetic information is immutable - it cannot be changed the way a password or a credit card number can. It reveals health risks, biological family connections, ancestry, and ethnicity not just for the individual who submitted a sample, but potentially for relatives who never signed up for anything. According to the complaint filed by the California Attorney General, this sensitivity is precisely what made 23andMe's security posture so consequential - and so damaging when it collapsed.

The breach: five months undetected

According to the California Department of Justice complaint, a threat actor began accessing 23andMe's systems in late April 2023. The attacker used a technique called credential stuffing - a well-documented form of cyberattack in which stolen username and password combinations from one data breach are systematically tried against accounts at other services, exploiting the common human habit of reusing login credentials across platforms.

The credentials used to breach 23andMe were predominantly obtained from earlier data breaches at other companies - most notably, a 2017 incident at MyHeritage, a genealogy website that had previously partnered with 23andMe and encouraged users to link accounts across both platforms. According to the complaint, the 2017 MyHeritage breach exposed the credentials of over 92 million users. At least one senior member of 23andMe's cybersecurity team was aware of that breach as early as 2018. Despite that knowledge, 23andMe never cross-checked its own customer accounts against known compromised credential lists, never required password resets following the MyHeritage breach, and did not require multi-factor authentication.

The threat actor ultimately accessed approximately 14,000 individual 23andMe accounts through credential stuffing. From there, however, the breach expanded dramatically. According to the complaint, a coding error in the "DNA Relatives" feature allowed the attacker to submit manipulated database queries - ones that returned information on any user who had opted into the feature, regardless of whether that person was genetically connected to any of the compromised accounts. What should have been a restricted search function accessible only to actual matches became, through this vulnerability, a tool for bulk data extraction.

The total number of profiles compromised reached approximately 6.9 million - close to half of 23andMe's entire customer base. For the roughly 14,000 accounts directly breached by credential stuffing, the stolen data included uninterpreted raw genotype data, health-predisposition reports, wellness reports, carrier status reports, and self-reported health conditions. For the 5.5 million users reached through the "DNA Relatives" vulnerability, the disclosure included display names, profile pictures, birth years, last login dates, relationship labels, predicted relationships with other users, the percentage of DNA shared, ancestry reports, chromosomal data, self-reported location, ancestor birth locations, family names, and links to family trees. A further 1.4 million users were affected through the "Family Tree" feature, with their display names, birth years, relationship labels, percentage of DNA shared, and location data exposed.

According to the complaint, approximately 855,541 of the affected consumers resided in California.

Warning signs ignored

The complaint describes a sequence of missed signals. On July 6, 2023, 23andMe's engineering team observed a spike in login attempts in which a single actor submitted 1,300 requests per minute from a single IP address. Over the same day, more than five times the normal daily number of user logins were recorded. According to the complaint, the average daily login count over the preceding four years was approximately 151,000; on July 6, the number exceeded one million logins to a single customer account.

No action was taken.

On August 11, 2023, a post appeared on a dark web forum offering 23andMe customer data for sale, including raw DNA data, affecting what the post claimed were over 10 million customers. The same day, a public post on the 23andMe subreddit on Reddit flagged the sale. According to the complaint, 23andMe's data security team became aware of the Reddit post and opened an investigation - but closed it after just four days. The investigation examined only two example records provided by the individual claiming to have the data; both examples related to people who had chosen to make their information public, including Anne Wojcicki, then co-founder and CEO of 23andMe, and Google co-founder Sergey Brin. The complaint states that 23andMe concluded the information could have been obtained through legitimate use of its platform and did not attempt to determine whether the stolen data included non-public customer records.

The threat actor carried out credential-stuffing attempts in two distinct windows: May 1 through May 16, 2023, and September 12 through September 18, 2023. Both windows produced anomalous login patterns. Neither triggered alerts or remedial action, according to the complaint.

The ransom

On October 1, 2023, a sample of stolen data appeared on the 23andMe subreddit. The data was accompanied by an advertisement specifically highlighting that approximately 1.1 million records belonged to users of Ashkenazi Jewish heritage and Asian-Pacific Islander descent. According to the California Attorney General's press release announcing the lawsuit on May 28, 2026, this occurred during a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence.

23andMe acknowledged "suspicious activity" publicly on October 6, 2023, in a blog post that stated the company did "not have any indication at this time that there has been a data security incident within our systems." The complaint alleges this was false: during the same period, the company was negotiating privately with the threat actor.

According to the complaint, on October 7 and 8, 2023, the threat actor sent messages directly to Wojcicki, to a 23andMe employee, and to a spouse of a 23andMe employee. Negotiations ran from October 8 through October 25, 2023. 23andMe ultimately paid the threat actor $400,000 in cryptocurrency. In exchange, the threat actor agreed to: report the vulnerabilities exploited during the breach; disclose two additional vulnerabilities found but not exploited; destroy the stolen user data; delete damaging posts made online about the breach; and provide what the complaint describes as a cover story to minimize the perceived severity of the attack.

The complaint notes that it remains unknown whether the threat actor actually deleted any of the genetic or personal data in their possession.

The threat actor posted 23andMe user data on BreachForums, a dark web cybercrime board, on at least three separate occasions: the tranche posted on October 1, 2023; October 17, 2023; and October 18, 2023. Profiles from the October 2023 dark web listings were offered for sale at between $1 and $10 per account.

Security failures outlined in the complaint

The complaint identifies three distinct categories of security failure. First, 23andMe failed to implement well-known defenses against credential stuffing. Industry guidance had been available for years before the breach. The California Attorney General published a data breach report in February 2016 recommending that multi-factor authentication be widely available for consumer-facing accounts holding sensitive personal information. The Federal Trade Commission published similar guidance in 2017, explicitly warning about credential reuse and recommending that companies combine multiple authentication techniques. By 2020, the Center for Internet Security classified credential stuffing as a threat with "very high" frequency. The New York Attorney General's office published a dedicated business guide on credential stuffing defenses in January 2022.

Despite all of this, 23andMe did not require multi-factor authentication for customer accounts until November 6, 2023 - after the breach had already run for five months. The company did not initiate a global password reset until October 10, 2023. It did not check customer credentials against known breach databases until after the attack, at which point it found that of the 14,000 directly compromised accounts, over 50% had been exposed in the 2017 MyHeritage breach, and almost 100% had appeared in at least one prior breach.

Second, the complaint details the failure around the "DNA Relatives" coding error. The flaw allowed a logged-in user to submit manipulated queries that bypassed the feature's intended restrictions, returning data on any opted-in user rather than only on that user's actual genetic matches. According to the complaint, this error was not discovered until the threat actor disclosed it during ransom negotiations in October 2023. Even after that disclosure, 23andMe's public statements about the breach did not mention the coding error's role in enabling the large-scale data extraction.

Third, the complaint argues that 23andMe's internal security policies failed to account for the specific nature of genetic data at all. The company's Information Security Policy discussed protecting business information in generic terms. Its Network Security Policy was described as a standard document with no provisions specific to genetic or ancestry data. The Data Classification framework established three tiers of sensitivity but did not specify where genetic or ancestry information fell. Even if genetic data was intended to sit in the most sensitive tier - "Sensitive Confidential Information" - the company's own policy required multi-factor authentication for that tier, which 23andMe did not enforce for customer accounts prior to the breach.

The complaint quotes sworn testimony from Wojcicki in 23andMe's bankruptcy proceedings, in which she stated: "I think my email and my bank accounts are potentially more sensitive than my genetic information." The California legislature, according to the complaint, has reached the opposite conclusion, enacting laws that specifically recognize the unique privacy risks posed by genetic data.

The complaint alleges violations of four California laws: the Genetic Information Privacy Act (GIPA), the California Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law.

Under GIPA, the Attorney General seeks civil penalties of $1,000 per violation. Under the CCPA, penalties reach $2,500 per violation and $7,500 per intentional violation or violation involving minor consumers. The False Advertising Law and Unfair Competition Law each carry penalties of $2,500 per violation, with an additional $2,500 penalty per violation against senior citizens aged 65 or older.

The Attorney General also seeks injunctive relief to prevent 23andMe from engaging in further violations, and asks the court for all equitable remedies available.

The filing notes that today's lawsuit is separate from a pending challenge in the U.S. Bankruptcy Court for the Eastern District of Missouri, where the Attorney General has also opposed the proposed sale of Californians' genetic information as part of the company's bankruptcy proceedings. 23andMe filed for Chapter 11 bankruptcy protection on March 23, 2025. Because the California lawsuit is brought under state police and regulatory powers, it is not subject to the automatic stay that typically halts civil litigation against a debtor in bankruptcy.

A tolling agreement between the parties became effective June 1, 2024, pausing the statute of limitations until June 1, 2025. Federal bankruptcy code provisions further extended the tolling period beginning March 23, 2025.

Context: California's expanding privacy enforcement pattern

The lawsuit lands at a point when California's enforcement of privacy law is unusually active. Attorney General Bonta's office secured a $1.55 million settlement with Healthline Media in July 2025 - at the time the largest CCPA monetary penalty on record - over sharing personal data with third parties despite user opt-outs. A $1.4 million settlement with mobile gaming company Jam City followed in November 2025, targeting failures to provide CCPA-compliant opt-out mechanisms across 21 mobile applications. The office also pursued a $2.75 million settlement with The Walt Disney Company in early 2026 over opt-out failures across streaming services.

California's updated privacy framework, which took effect January 1, 2026 under Assembly Bills 137 and 566, expanded requirements around consumer consent and third-party data transfers. The California Delete Act regulations, approved in November 2025, will require data brokers to participate in a centralized consumer deletion platform starting August 2026. Legislation introduced in January 2026 would go further, prohibiting the sale of sensitive personal information to third parties entirely under the CCPA.

The 23andMe case is categorically different from those enforcement actions in one respect: it involves data that is permanently identifying, cannot be anonymized in any meaningful sense, and carries implications not just for the individual but for their biological relatives. The breach did not expose credit card numbers that could be reissued. It exposed genetic sequences that customers carry for life.

For advertisers, data analytics professionals, and anyone who manages consumer data at scale, this enforcement action is a pointed reminder that regulatory scrutiny of data security practices now extends well beyond advertising technologyand retail media. Privacy law in California applies wherever sensitive consumer data is collected - and the standards applied to highly sensitive categories, including genetic data, health data, and biometric identifiers, are measurably higher than those applied to ordinary personal information.

Timeline

  • 2006: 23andMe founded in San Francisco as a direct-to-consumer genetic testing company.
  • 2014: 23andMe and MyHeritage announce a partnership, encouraging customers to link accounts across both platforms.
  • 2017: MyHeritage suffers a data breach exposing credentials of over 92 million users. A senior 23andMe cybersecurity team member became aware of this breach by 2018.
  • February 2016: California Attorney General publishes a data breach report recommending multi-factor authentication for consumer accounts holding sensitive personal information.
  • 2017: Federal Trade Commission publishes data security guidance specifically warning about credential stuffing and recommending multi-factor authentication.
  • 2020: Center for Internet Security classifies credential stuffing as a "very high" frequency threat.
  • January 2022: New York Attorney General's office publishes a business guide detailing credential stuffing defenses.
  • Late April/early May 2023: Threat actor begins breaching 23andMe systems using credential stuffing.
  • May 1-16, 2023: First window of credential-stuffing attempts creating anomalous login patterns, undetected by 23andMe.
  • July 6, 2023: 23andMe engineering team observes over one million logins to a single account in a single day, with a single actor submitting 1,300 login requests per minute from one IP address. No remedial action taken.
  • August 11, 2023: Dark web post advertises stolen 23andMe data. Public Reddit post on the 23andMe subreddit flags the sale. 23andMe opens and closes a four-day investigation without discovering the breach.
  • September 12-18, 2023: Second window of credential-stuffing attempts, again undetected.
  • October 1, 2023: Data from 23andMe customers - including approximately 1.1 million records targeting Ashkenazi Jewish and AAPI users - appears for sale on the 23andMe subreddit and a dark web forum. 23andMe later claims this was the date it first discovered the breach.
  • October 6, 2023: 23andMe publishes a blog post acknowledging "suspicious activity" while stating it has "no indication" of a data security incident within its systems.
  • October 7-8, 2023: Threat actor contacts Wojcicki, a 23andMe employee, and a spouse of a 23andMe employee directly.
  • October 8-25, 2023: 23andMe negotiates privately with the threat actor while publicly downplaying the breach.
  • October 10, 2023: 23andMe initiates a global password reset - more than five months after the breach began.
  • October 17-18, 2023: Threat actor posts additional 23andMe data on BreachForums.
  • Late October 2023: 23andMe pays $400,000 in cryptocurrency to the threat actor.
  • November 6, 2023: 23andMe requires multi-factor authentication for customer accounts for the first time.
  • June 1, 2024: Tolling agreement between the California Attorney General and 23andMe becomes effective, pausing statute of limitations.
  • July 2025: California Attorney General secures $1.55 million settlement with Healthline Media - the largest CCPA penalty to that point.
  • March 23, 2025: 23andMe files voluntary Chapter 11 bankruptcy petitions in the U.S. Bankruptcy Court for the Eastern District of Missouri.
  • November 2025: California Attorney General secures $1.4 million settlement with Jam City for mobile app CCPA violations.
  • November 6, 2025: California Office of Administrative Law approves Delete Act regulations establishing the consumer data deletion platform.
  • January 1, 2026: Updated CCPA requirements under Assembly Bills 137 and 566 take effect.
  • January 5, 2026: California Assembly Member Christopher Ward introduces legislation that would ban the sale of sensitive personal information to third parties.
  • February 2026: California Attorney General secures $2.75 million settlement with Disney over streaming opt-out failures.
  • May 27, 2026: California Attorney General Rob Bonta files lawsuit against Chrome Holding Co. and ChromeCo, Inc. (formerly 23andMe) in San Francisco Superior Court.
  • May 28, 2026: California Department of Justice publishes press release announcing the lawsuit.

Summary

Who: California Attorney General Rob Bonta, on behalf of the People of the State of California, filed the lawsuit against Chrome Holding Co. (formerly 23andMe Holding Co.) and ChromeCo, Inc. (formerly 23andMe, Inc.), both Delaware corporations headquartered in San Francisco.

What: A civil lawsuit alleging violations of the Genetic Information Privacy Act, the California Consumer Privacy Act, the False Advertising Law, and the Unfair Competition Law. The complaint alleges that 23andMe failed to implement reasonable security procedures before and during a 2023 data breach affecting nearly 7 million customers, paid a $400,000 cryptocurrency ransom to the threat actor while publicly denying a security incident had occurred within its systems, and made misleading statements about its data security practices, the severity of the breach, and the technical limits of its DNA Relatives feature.

When: The breach ran undetected from late April 2023 through October 2023. The company publicly acknowledged it on October 6, 2023. The lawsuit was filed May 27, 2026.

Where: The breach originated within 23andMe's systems, which were maintained at its San Francisco principal place of business. Stolen data was posted on BreachForums, a dark web cybercrime board. The lawsuit was filed in the Superior Court of California, City and County of San Francisco.

Why: California law - specifically GIPA, the CCPA, and the Reasonable Data Security Law - imposes heightened obligations on companies that collect and maintain genetic data. The complaint argues that 23andMe failed those obligations by ignoring known threats including credential stuffing, failing to detect a threat actor operating inside its systems for five months, paying a ransom it did not disclose, and making public statements that obscured the severity of one of the most consequential privacy incidents involving genetic data in consumer technology history.

Share this article
The link has been copied!