California Attorney General Files Suit Against 23andMe for Security Failures and Deceptive Practices
In a significant legal action, California Attorney General Rob Bonta initiated a lawsuit on May 27, 2026, against Chrome Holding Co., the entity overseeing the remaining assets of the DNA testing company 23andMe following its bankruptcy. This legal complaint arises from allegations regarding severe security vulnerabilities and deceptive practices linked to a notable data breach that occurred in 2023. The lawsuit asserts that 23andMe neglected to implement adequate security measures and violated a variety of state privacy and consumer protection regulations. Furthermore, it claims the company made misleading statements regarding its security protocols, which exacerbated the fallout from the breach.
The breach in question began with a series of credential stuffing attacks targeting the login page of 23andMe, during which cybercriminals used previously compromised usernames and passwords from other websites to access accounts. Although approximately 14,000 accounts were directly compromised, attackers managed to infiltrate the company’s systems undetected for an alarming five-month period. During this time, intruders exploited the platform’s "DNA Relatives" feature, designed for users to discover biological relationships through DNA similarities, effectively gaining access to data from an estimated 7 million customers.
According to the legal filing, a critical coding flaw within the DNA Relatives feature enabled the attackers to scrape data from millions of users linked by biological ties to the accounts that had been breached. The stolen genetic material disclosed sensitive information regarding individuals’ ethnic origins and was reportedly sold on the dark web. This illicit data sale included specific targeting options for distinct ethnic demographics, notably affecting Asian American Pacific Islander and Jewish customers. In the aftermath of the breach, 23andMe sent communications to the legal representatives of the victims in which the company placed blame on users for reusing passwords. The company similarly claimed that the exposed data would not result in financial harm. These assertions have since become focal evidence in the state’s legal case.
The ramifications of the data breach were far-reaching, impacting 855,541 residents of California alone. In light of these circumstances, Bonta’s office is pursuing statutory penalties that range from $1,000 to as much as $7,500 for each violation of the law. However, recovery for affected individuals may be complicated due to the fact that 23andMe filed for Chapter 11 bankruptcy in March 2025 and subsequently sold off the majority of its assets—including genomic data belonging to over 15 million customers—to TTAM Research Institute for a reported $305 million.
Various regulatory bodies have already imposed penalties on 23andMe for the breach. Notably, the UK’s Information Commissioner’s Office recently imposed a fine of £2.31 million, while a class-action settlement in the United States, approved in January 2026, resulted in a $50 million payout covering most of the claims made by customers affected by the breach.
In light of these developments, experts are advising affected customers to take immediate actions to bolster their cyber security. Users are encouraged to reset any passwords that may have been reused across multiple platforms and to enable multi-factor authentication wherever possible. Additionally, they should remain vigilant for phishing attempts that may reference 23andMe or the specific breach. Unlike traditional data breaches, where compromised information might be altered or changed, the stolen genetic data that circulates on the dark web represents a permanent loss of privacy—one that underscores the unique risks associated with DNA testing services.
As the legal proceedings continue to unfold, the implications of this case extend beyond individual privacy concerns. They raise critical questions about the accountability of companies in handling sensitive genetic data and the responsibilities they bear toward their customers in safeguarding such information. The outcome of the lawsuit will not only affect the involved parties but may also set important precedents for the industry as a whole. As consumers become increasingly wary of data privacy, cases like this will likely influence public perception and regulatory approaches to genetic testing services in the future.