California’s attorney general is suing the consumer genetic testing company formerly known as 23andMe, alleging the company failed to protect its customers’ sensitive personal information during a massive data breach in 2023 that exposed the ancestry and genetic data of nearly 7 million people.
Attorney General Rob Bonta filed a lawsuit Thursday in San Francisco Superior Court against Chrome Holding Co., formerly known as 23andMe, accusing the company of failing to properly investigate or respond to numerous warnings that its systems had been compromised. The company’s mailed self-test kits became synonymous with DNA testing before it declared bankruptcy in 2025.
In 2023, cybercriminals breached 23andMe’s systems using a “credential-stuffing attack”, which involves bombarding online accounts with huge sets of usernames and passwords stolen in previous, unrelated attacks. In just a few months, intruders managed to steal the personal data of more than 6.9 million people.
“23andMe’s security measures were so lax that the malicious actor was able to operate undetected in 23andMe’s systems for more than five months and, remarkably, 23andMe only began investigating after the malicious actor offered the stolen user data for sale on the dark web and contacted 23andMe to demand a ransom,” Bonta’s office said in the complaint.
The San Francisco-based company, which allowed people to submit genetic material and get a snapshot of their ancestry, revealed in October 2023 that hackers had accessed its customers’ information during a prolonged data breach targeting customers of Chinese or Ashkenazi Jewish descent. The stolen data of more than a million Ashkenazi Jewish and Asian Pacific Islander users was later put up for sale on the dark web.
“The sale of this data on the dark web took place during a period of rising anti-Asian and Pacific Islander, anti-Semitic hatred and violence,” Bonta said in a press release. “It’s worrying and incredibly dangerous.”
A lawsuit filed in January 2024 accused the company of not doing enough to protect its customers and failing to notify some customers that their data had been specifically targeted. He later settled the lawsuit for $30 million.
Representatives for 23andMe did not immediately respond to a request for comment.
At its peak, 23andMe became the best-known name in the emerging field of DNA self-tests, with users paying more than $99 for kits that gave them insight into their genetic makeup, potential parents and ancestry. But the company’s momentum has slowed in recent years after its $3.5 billion IPO in 2021.
Last July, TTAM Research Institute, a nonprofit led by Anne Wojcicki, co-founder and former CEO of 23andMe, acquired 23andMe’s assets for $305 million.