California Attorney General Rob Bonta is suing Chrome Holding Co. (formerly 23andMe) over a 2023 data breach that exposed nearly 7 million users' genetic profiles. Attackers used credential stuffing—testing stolen passwords from other breaches—to access 14,000 accounts, then exploited DNA-sharing features to scrape millions more profiles. The breach exposed immutable genetic data, ancestry reports, and health predispositions that cannot be reset like a password.
The lawsuit alleges the company failed to implement basic security measures, ignored red flags for months, and then misled customers about the breach's severity.
What happened in the 23andMe data breach?
Between April and September 2023, a threat actor used credential stuffing—testing username and password combinations stolen from other breaches—to access approximately 14,000 23andMe accounts. The attacker didn't stop there. By exploiting 23andMe's DNA Relatives feature, which lets users share genetic data with potential relatives, they scraped profile information for an additional 5.5 million users. Another 1.4 million profiles were exposed through the Family Tree feature.
The breach went undetected for five months. 23andMe only learned about it in October 2023 when the stolen data appeared for sale on the dark web. According to the lawsuit, the company failed to investigate earlier warning signs: a suspicious spike of 400 profile transfer attempts in July and a Reddit post in August claiming a breach had occurred.
How did basic security failures enable the attack?
Credential stuffing attack cascade visualization
The lawsuit details a cascade of preventable failures. Attackers used credentials from a 2017 MyHeritage breach—a genealogy company that had partnered with 23andMe. Despite knowing about that breach, 23andMe never checked for credential reuse or forced password resets.
Multi-factor authentication (MFA) was optional. At the time of the breach, less than 22% of users had enabled MFA or single sign-on. For 78% of customers, a reused password was the only barrier protecting ancestry reports, health data, and DNA profiles.
There was no rate limiting to throttle login attempts. The attacker logged into one account over a million times in a single day in July 2023, causing the platform to stop working temporarily. 23andMe investigated the incident but failed to recognize it as part of a broader attack.
What California privacy laws did 23andMe allegedly violate?
The lawsuit alleges violations of five California statutes:
- California's Genetic Information Privacy Act (GIPA), which requires heightened protections for genetic data and mandates reasonable security measures. Willful violations carry penalties of $1,000 to $10,000 per violation.
- Reasonable Data Security Law, requiring companies to maintain procedures appropriate to the sensitivity of data collected.
- California Consumer Privacy Act (CCPA), violated through failures to protect personal information.
- False Advertising Law and Unfair Competition Law, for allegedly misleading customers about security practices and breach severity.
Bonta's complaint notes that 855,541 Californians were affected. Each violation is separately actionable, and the AG is seeking civil penalties that could total "multiple millions."
Why genetic data breaches are different
Unlike passwords or credit card numbers, genetic data is permanent. You can't reset your DNA sequence. The stolen information included raw genetic data, health predisposition reports, ethnicity estimates, family surnames, and shared DNA percentages with relatives.
The breach had a targeted dimension: data from approximately 1.1 million Asian-Pacific Islander and Ashkenazi Jewish users was specifically marketed on the dark web. The lawsuit notes this occurred "amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence."
Genetic information can reveal not just your health risks, but your relatives' risks. The DNA Relatives feature meant one compromised account exposed dozens or hundreds of connected profiles—a cascading effect unique to interconnected biological data.
What happened after the breach was disclosed
According to the lawsuit, 23andMe downplayed the severity and shifted blame to users for reusing passwords. The company initially claimed it had not experienced a "data security incident within its systems."
Behind the scenes, 23andMe was negotiating and paying a ransom to the threat actor. In exchange, the attacker agreed to remove damaging posts about the breach and provided information about multiple security vulnerabilities in 23andMe's systems—including the ones exploited during the attack.
23andMe agreed to a $50 million class-action settlement in early 2025. By March 2025, the company filed for Chapter 11 bankruptcy, citing the data breach and related litigation as contributing factors. The company was subsequently purchased and rebranded as Chrome Holding Co.
What this means for platforms collecting sensitive data
The 23andMe case is a blueprint for how not to handle credential-based attacks. If your platform collects health data, biometrics, or any immutable identifiers:
- MFA should be mandatory, not optional, especially for accounts holding sensitive data. Waiting until after a breach to enforce it is too late.
- Check user passwords against known breach databases at registration and login. NIST SP 800-63B explicitly recommends this.
- Implement rate limiting on authentication endpoints. A million login attempts in one day should trigger automated blocks and alerts.
- Monitor for credential stuffing patterns: failed logins from distributed IPs followed by successful authentication from unfamiliar locations.
- Investigate anomalies immediately. A spike in profile transfer attempts or a Reddit claim about a breach isn't noise—it's a signal.
If you're building user-facing features that amplify access (like DNA Relatives), threat-model how one compromised account cascades through your system. Scan your site to identify security header misconfigurations and tracking risks before they become litigation.
Frequently Asked Questions
How many people were affected by the 23andMe data breach?
Nearly 7 million users had their data exposed, though only 14,000 accounts were directly accessed. The breach cascaded through 23andMe's DNA Relatives and Family Tree features, exposing connected users' genetic profiles.
What type of data was stolen in the 23andMe breach?
Stolen data included raw genetic profiles, ancestry reports, ethnicity estimates, health predisposition information, family surnames, birth years, locations, and shared DNA percentages with relatives—information that cannot be changed like a password.
What is credential stuffing and how did it affect 23andMe?
Credential stuffing is an attack where hackers use username-password pairs stolen from other breaches to access accounts on different platforms. 23andMe users who reused passwords from compromised sites became entry points for the attacker.
What penalties does California's Genetic Information Privacy Act impose?
GIPA authorizes civil penalties of $1,000 to $10,000 per willful violation, plus court costs. Each violation is separately actionable, meaning fines can multiply rapidly across millions of affected users.
Did 23andMe know about security vulnerabilities before the breach?
Yes. The lawsuit alleges 23andMe's security team knew about the 2017 MyHeritage breach (which exposed credentials later used in the attack) and observed suspicious activity months before discovering the breach in October 2023.
What happened to 23andMe after the breach?
The company agreed to a $50 million class-action settlement, filed for Chapter 11 bankruptcy in March 2025, and was sold and rebranded as Chrome Holding Co. California's lawsuit is separate from the bankruptcy settlement.