California Sues Former 23andMe (Chrome Holding) Over Data Breach – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

California Sues Former 23andMe Over Data Breach

California Attorney General Rob Bonta is suing the genetic testing giant 23andMe, now known as Chrome Holding Co., over the 2023 breach that exposed sensitive genetic data of nearly 7 million users. The lawsuit alleges inadequate security measures.

The 23andMe logo in front of the California Attorney General's office with a broken shield icon.

What Happened

Things just went from bad to worse for 23andMe. After months of grappling with the fallout from a massive data breach, the company is now facing the wrath of the state of California. Attorney General Rob Bonta announced a major lawsuit against the once-celebrated genetic testing firm, which now operates under the name Chrome Holding Co. The reason? The company allegedly failed to do its job in protecting the most intimate information of millions of people: their DNA data.

This isn't just another cybersecurity lawsuit. The subject matter is the unchangeable, fundamental building block of a person—their genetic code. A statement from Bonta's office emphasizes that 23andMe failed to implement "basic security measures" against a type of attack that has been well-known for years. In other words, this wasn't a surprise; it was a foreseeable disaster, and the company essentially left the door wide open. The lawsuit alleges that the company's negligence violated California's Consumer Privacy Act (CCPA) and other laws. This could end with more than just a fine; it could set a precedent that fundamentally changes the data-handling practices of the entire industry. The AG claims the company not only had weak security but also tried to shift blame to its users after the breach, shirking responsibility. This move is a clear signal of how aggressive states are becoming in holding major tech and data companies accountable.

Data Compromised

The list of what was stolen is chilling. This is far more than an email and password leak. The attackers gained access to a treasure trove of users' most personal details. So what's on the list?

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Full Names: The first step for identity theft.
  • Birth Year: A key piece of information for social engineering and fraud.
  • Genetic Ancestry Results: Users' ethnicity percentages. This information can be weaponized for discrimination and hate crimes, especially against specific groups.
  • Geographical Location Data: Information about where their ancestors came from.
  • Profile Photos: A direct violation of personal privacy.
  • Potential Health Information: Health data that could be inferred from genetic predisposition test results.
  • Family Connections: Through the "DNA Relatives" feature, one person's breach meant the exposure of thousands of their relatives.

Remember, you can change your password. You can cancel your credit card. You can't change your DNA. Once this data is out, it's out forever. The fact that attackers specifically targeted and created lists of users with Ashkenazi Jewish and Chinese ancestry, then sold them on dark web forums, shows just how dangerous this can get. It's nothing short of digital ethnic profiling. We see how immense a responsibility the company took on by collecting such sensitive data, and how it failed to live up to that responsibility. Keeping up with the latest Data Breach News makes it clearer just how devastating the consequences of such genetic data breaches can be.

How the Attack Happened

There's an argument at the core of the company's defense: "Our systems weren't hacked, the users are at fault." So what does that mean? The attack was carried out using a method technically known as "credential stuffing." You can think of it like a thief with thousands of old keys, trying every single one on all the doors in a neighborhood.

Here's how it works: Attackers take billions of username and password combinations obtained from previous data breaches on other platforms (like LinkedIn, MyFitnessPal, etc.). They then use automated software to try these lists on 23andMe's login page. Since many people reuse the same password across different platforms, some of these attempts are successful. So yes, technically, no virus infiltrated 23andMe's servers. But as Attorney General Bonta points out, that's precisely the problem. Why didn't 23andMe have adequate protections against this extremely common and predictable type of attack? Why didn't it make multi-factor authentication (MFA) mandatory for all users? This is the crux of the lawsuit.

Even worse, the attackers didn't stop once they got into an account. 23andMe's "DNA Relatives" feature allows users to see others with whom they are genetically linked. Using the small number of accounts they compromised, the attackers scraped the data of millions of connected users via this feature. So one person's weak password led to the theft of data from thousands of their relatives. This demonstrates how a flaw in the company's platform design can create a massive snowball effect.

Who Was Affected

The numbers are staggering. In total, the data of approximately 6.9 million people was impacted by this breach. It's important to break this figure into two groups:

  1. Directly Affected: About 1.4 million users. These are the individuals whose accounts were directly compromised through the credential stuffing attack, giving attackers access to their most detailed information, like genetic health reports.
  2. Indirectly Affected: About 5.5 million users. Although their accounts weren't directly hacked, their profile information (name, ancestry, profile photo, etc.) was stolen via the "DNA Relatives" feature.

This means that nearly the company's entire user base was affected in some way. One of the most disturbing aspects of the attack was the targeting of specific ethnic groups. On the dark web, data lists specifically for users of "Ashkenazi Jewish" and "Chinese" descent were put up for sale. This grimly illustrates that cybercrime is no longer just about financial gain; it has become a tool for hate and discrimination.

What You Can Do

If you are or were a 23andMe user, there are some steps you should take, without panicking. Here is a specific, non-cliché list for you:

  • Find Out if You Were Actually Affected: Check if the company sent you an email. But be wary of these emails, as phishers might impersonate them. One of the most reliable methods is to check if your email address has appeared in other breaches. You can use a trusted Data Breach Search tool for this. This will also give you an idea of your overall digital hygiene.
  • Change Your Password Now and Make It Unique: Change your 23andMe password immediately. More importantly, make sure this new password is completely unique and not used anywhere else. Using a password manager is a lifesaver here.
  • Enable Multi-Factor Authentication (MFA): As the lawsuit highlights, this one thing could have largely prevented the attack. Go into your 23andMe account's security settings and enable MFA (via an app like Google Authenticator or Authy) right now. This prevents access to your account even if your password is stolen.
  • Review 'DNA Relatives' Settings: We've seen what a huge risk this feature became. Go to your settings and review your participation in this feature. You can limit how much of your data is visible to other users or opt out entirely. Your privacy might be more important than finding a distant cousin you never knew you had.

What the Company Says

23andMe's stance since the beginning of this crisis has been highly controversial. The company has repeatedly argued that its own security systems were not breached and that the problem was entirely due to users using weak and recycled passwords. A spokesperson made statements to the effect of, "We regularly remind users not to reuse passwords and to take strong security precautions." While technically true, this was widely perceived by the public as "blaming the customer" and drew significant backlash.

The California AG's lawsuit targets this exact defense. The legal argument is that a company holding the most sensitive data of millions of people has a duty to anticipate that users will make mistakes and must implement systems (like mandatory MFA) to protect them against those mistakes. Simply saying "we warned them" isn't enough. The company's recent name change to Chrome Holding Co. is also telling. While part of a corporate restructuring, many interpret this move as an attempt to refresh its image and distance itself from the tarnished 23andMe name. But changing a name doesn't erase responsibility. It seems this lawsuit, whether against the old name or the new, isn't going away anytime soon.

Source

https://databreaches.net/2026/05/29/california-ag-bonta-sues-chrome-holding-co-formerly-known-as-23andme-over-2023-data-breach/

Share This Article
X LinkedIn WhatsApp
← Previous Post Microsoft Defender Will Now Automatically Lock Down Hacked Devices Next Post → Charter Data Breach Exposes Millions of Customers

Weekly Newsletter

Curated data breach news delivered to your inbox every week.