California AG sues 23andMe over 2023 DNA data breach

Anadolu / Getty Images

California Attorney General Rob Bonta filed a lawsuit Thursday against Chrome Holding Co., the company formerly known as 23andMe, over a 2023 data breach that exposed the genetic and personal information of nearly 7 million users across the U.S., including 855,541 Californians.

The complaint, filed in San Francisco Superior Court, alleges that 23andMe failed to implement reasonable security measures, ignored known vulnerabilities in its systems, and misled consumers about the severity of the breach. The lawsuit says 23andMe's conduct violated California's Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act.

Attackers gained entry by recycling login credentials harvested from earlier security incidents elsewhere on the web — among them a prior compromise of MyHeritage, a genealogy platform that had previously partnered with 23andMe — ultimately breaking into approximately 14,000 accounts through this technique, known as credential stuffing. What made this especially notable, according to the complaint, is that 23andMe had not only known about the MyHeritage incident but had actively steered its own customers toward creating accounts on that platform — yet it took no steps to detect or prevent those same credentials from being reused to log into 23andMe.