California sues 23andMe over 2023 data breach affecting nearly 7 million customers

California Attorney General Rob Bonta filed a lawsuit Thursday against Chrome Holding Co., the legal entity associated with consumer genetics company 23andMe, alleging the company failed to adequately protect customer data and misrepresented the severity of a 2023 data breach that exposed sensitive personal and genetic information belonging to an estimated 6.9 million U.S. customers.

The complaint, filed in San Francisco Superior Court, alleges that the company ignored multiple warnings that its systems had been compromised and failed to take sufficient measures to safeguard customer information. The breach began in April 2023 and continued for approximately five months, affecting about 856,000 California residents.

State officials said the exposed information included customers’ health-related data, genetic predispositions, biological relationships, ancestry details and ethnicity information. The lawsuit also alleges that threat actors later offered portions of the stolen data for sale online, including information linked to users of Asian American Pacific Islander and Jewish ancestry.

Bonta said the state’s investigation found that the company failed to implement basic security protections and misled consumers about the scope and seriousness of the incident. He described the breach and the company’s response as unacceptable and said California is seeking civil penalties that could amount to multiple millions of dollars under the state’s Genetic Information Privacy Act and consumer protection laws.

The breach was carried out through a credential-stuffing attack, in which attackers used usernames and passwords obtained from unrelated data breaches to gain access to customer accounts whose credentials had been reused elsewhere.

The lawsuit arrives more than a year after 23andMe filed for Chapter 11 bankruptcy protection in St. Louis in March 2025. The company cited the costs associated with the data breach, related litigation, increased competition and declining demand for genetic testing services as factors contributing to its financial difficulties.

Four months before the lawsuit was filed, a federal bankruptcy judge granted final approval for a settlement fund valued between $30 million and $50 million to resolve most customer claims connected to the breach. The settlement addressed allegations that customers of Chinese and Ashkenazi Jewish ancestry were not informed that the attacker appeared to have specifically targeted their information and offered it for sale online.

Founded in 2006 and headquartered in Palo Alto, California, 23andMe is a genetic testing company known for consumer DNA analysis services. The company went public in 2021.