California sues 23andMe over 2023 data breach that affected 7 million users

California moves against a genetic data company

California Attorney General Rob Bonta has sued the company formerly known as 23andMe, now Chrome Holding Co., over the 2023 breach that exposed sensitive information from 7 million users. According to the source text, 855,541 of those affected users were California residents.

The suit targets both security practices and customer communication. Bonta accuses the company of failing to protect highly sensitive personal and genetic information, including health-related genetic data, ancestry and ethnicity details, and information connected to biological relatives.

The state’s case

23andMe previously said bad actors gained access through credential stuffing, using stolen login details from earlier breaches. But the California complaint, as summarized in the article, argues that a company handling genetic data should have anticipated that attack method and defended against it.

Bonta’s argument goes further. He says 23andMe knew about a breach at MyHeritage, another genealogy platform it worked with, but did not prevent credential reuse or adequately check for it. The article also says 23andMe had encouraged users to sign up for MyHeritage accounts, making the overlap more significant.

How the breach widened

The lawsuit does not center only on initial account takeovers. According to the source, attackers first accessed roughly 14,000 accounts through credential stuffing, then used a weakness in the DNA Relatives feature to reach data from millions more customers.

Bonta says the company’s security controls were so weak that the attackers operated undetected for five months. He also says the company began investigating only after stolen user data had already appeared for sale on the dark web and after ransom demands emerged.

Disclosure and harm

Another major point in the lawsuit is that 23andMe allegedly downplayed the breach when informing customers. Bonta argues the company omitted critical information and claimed the DNA Relatives feature was essentially public, even while it was privately negotiating with the attackers.

The source text adds an especially serious dimension: the dataset for sale reportedly highlighted information involving Asian American and Pacific Islander users, as well as Jewish users. In the state’s telling, that context raised the risk of targeted misuse beyond ordinary privacy exposure.

Why this case matters

This is not just another breach suit against a consumer technology company. It involves genetic data, which carries a different level of sensitivity because it can reveal health predispositions, family links and ancestry traits that users cannot simply reset like a password. The California case therefore tests how far data-protection expectations rise when the underlying information is biologically intimate and potentially enduring.

For the wider industry, the lawsuit is also a warning about familiar attack methods. Credential stuffing is not novel, and the state’s position appears to be that common attack patterns do not excuse weak defenses, especially when companies are entrusted with unusually sensitive records.

The case could shape expectations around both security architecture and breach disclosure in consumer genomics. At minimum, it shows regulators are prepared to treat genetic-data failures as more than standard cyber incidents.

This article is based on reporting by Engadget. Read the original article.