California AG sues 23andMe over 2023 genetic data breach
California AG sued 23andMe's successor in May 2026 over a 2023 breach exposing 7 million users' data.
Why it matters: The lawsuit spotlights legal and compliance risks for companies handling sensitive genetic information, emphasizing obligations to secure data and transparently report breaches under California law.
- The October 2023 breach exposed data from nearly 7 million users, including 855,541 Californians.
- Attackers used credential stuffing with 2017 MyHeritage credentials to access about 14,000 accounts.
- Lawsuit alleges 23andMe paid ransom to attackers and misled consumers about the breach's extent.
- 23andMe filed for bankruptcy in March 2025 and rebranded as Chrome Holding Co.; settled a related class-action for $50 million in 2024.
In October 2023, nearly 7 million 23andMe customers had sensitive information exposed in a data breach, including raw genetic data, health reports, and familial details. Among those affected were 855,541 California residents. The breach occurred through credential stuffing, a cyberattack method where stolen passwords from a 2017 MyHeritage breach were reused to access approximately 14,000 accounts.
The compromised data, including DNA and locations of relatives, raised significant privacy concerns, prompting the California Attorney General (AG) Rob Bonta to take legal action. AG Bonta’s office highlighted the breach’s severity amid growing concerns about misuse of genetic data and compliance with state privacy laws.
In May 2026, California AG Bonta filed suit against Chrome Holding Co., formerly 23andMe after its March 2025 bankruptcy. The lawsuit alleges the company failed to implement adequate security measures, paid a ransom to the attackers, and provided misleading information to customers regarding the breach’s impact. Bonta stated, "23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach." [California AG statement]
Earlier, in 2024, 23andMe agreed to a $50 million class-action settlement addressing the breach’s fallout. This ongoing litigation emphasizes the increasing legal scrutiny on companies handling genetic and health data, underlining the need for robust cybersecurity and transparent breach responses in compliance with evolving regulatory standards.
By the numbers:
- 7 million users affected — total breached in October 2023 incident
- 855,541 California residents — users whose data was exposed
- $50 million — 2024 class-action settlement paid by 23andMe
What's next: The lawsuit's progress is expected to clarify legal precedent for genetic data privacy and breach disclosures under California law.