California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach

Data Breaches California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. By Associated Press | May 29, 2026 (7:12 AM ET) Flipboard Reddit Whatsapp Whatsapp Email California’s attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country. Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. 23andme is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions. The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California’s privacy protection laws. The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. The cyberattack utilized “credential stuffing,” which takes advantage of customers’ tendency to use weak or common passwords or reuse passwords between multiple accounts. Bonta’s office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe’s former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication. 23andMe did not immediately respond to an emailed request for comment. Advertisement. Scroll to continue reading. “23andMe’s security measures were so lax that the threat actor was able t