23andMe Sued by California Over Massive 2023 Data Breach

California’s attorney general is suing the consumer genetics testing company formerly known as 23andMe, alleging the company failed to protect customers’ sensitive personal information in a massive 2023 data breach that exposed the ancestry and genetic data of nearly 7 million people.

Attorney General Rob Bonta filed the lawsuit on Thursday in San Francisco Superior Court against Chrome Holding Co., formerly known as 23andMe, accusing the company of failing to properly investigate or respond to numerous warnings that its systems had been compromised. The company’s mail-in self-testing kits became synonymous with DNA testing before it filed for bankruptcy in 2025.

In 2023, cybercriminals breached 23andMe’s systems by using a “credential-stuffing attack,” which involves bombarding online accounts with huge sets of user names and passwords stolen in previous unrelated attacks. Over a period of months, the intruders were able to make off with the personal data of more than 6.9 million people.

“23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom,” Bonta’s office said in the complaint. 

The San Francisco-based company, which allowed people to submit genetic materials and get a snapshot of their ancestry, revealed in October 2023 that hackers had accessed customer information in the prolonged data breach that targeted customers with Chinese or Ashkenazi Jewish ancestry. The stolen data of more than 1 million Asian-Pacific Islander and Ashkenazi Jewish users was later posted for sale on the dark web. 

“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said in a press release. “This is disturbing and incredibly dangerous.”

 A January 2024 lawsuit accused the company of not doing enough to protect its customers and not notifying certain customers that their data had been targeted specifically. It later settled the lawsuit for $30 million.

23andMe representatives didn’t immediately respond to a request for comment.

At its peak, 23andMe became the best-known name in the emerging area of DNA self-testing, with users paying upwards of $99 for kits that gave them insights into their genetic makeup, potential relatives and ancestry. But the company’s momentum slowed down in recent years after its $3.5 billion public offering in 2021.

Last July, TTAM Research Institute, a nonprofit led by Anne Wojcicki, 23andMe’s cofounder and former CEO, acquired 23andMe’s assets for $305 million.