California Sues 23andMe Over Data Breach Affecting 7 Million Users

The California Attorney General’s Office has filed a lawsuit against Chrome Holding Co., formerly known as 23andMe. The complaint alleges that the company failed to implement adequate safeguards for customer data, leading to a massive 2023 data breach.

Cybercriminals employed a "credential stuffing" technique, exploiting previously stolen login credentials to compromise user accounts. For months, attackers operated undetected, stealing data from nearly 7 million individuals. Clients with Chinese and Ashkenazi Jewish ancestry were disproportionately targeted, with their information later surfacing for sale on the dark web.

The lawsuit highlights that 23andMe delayed investigating the incident until hackers publicly listed the data for sale and demanded ransom. The company has faced prior legal action over the breach and previously settled a class-action lawsuit for $30 million.

23andMe, a pioneer in at-home DNA testing, has encountered financial challenges in recent years. In 2025, the company filed for bankruptcy, with its assets acquired by the nonprofit TTAM Research Institute for $305 million.