
This case underscores the lasting risk when genetic data isn't secured, useful context for a colleague or friend following digital privacy rights.

California sues 23andMe over genetic data breach Story flow and key facts
California Attorney General Rob Bonta filed a lawsuit against 23andMe, now operating as Chrome Holding Company, over a 2023 data breach that compromised the personal and genetic data of nearly 7 million users nationwide, including more than 855,000 Californians. The breach occurred when hackers used 'credential stuffing'—leveraging stolen login data from a prior MyHeritage breach—to infiltrate accounts and exploit a vulnerability in 23andMe’s 'DNA Relatives' feature.
Investigators found that attackers remained undetected in the system for about five months. The stolen data included sensitive details such as ancestry, genetic predispositions, health risk factors, and biological relatives. Shockingly, data from one million users was later advertised for sale on the dark web, with specific targeting of Asian American, Pacific Islander, and Jewish individuals.
California alleges that 23andMe failed to implement basic cybersecurity safeguards and misled consumers about the breach’s severity. The company reportedly paid a $400,000 cryptocurrency ransom to hackers in exchange for the destruction of stolen data and information about security flaws. The lawsuit cites violations of multiple state laws, including the Genetic Information Privacy Act and the California Consumer Privacy Act.
Facts
- California Attorney General Rob Bonta filed a lawsuit against 23andMe (now Chrome Holding Company) on May 28, 2026, over a 2023 data breach.
- The breach exposed personal and genetic data of nearly 7 million users nationwide, including over 855,000 Californians.
- Hackers used credential stuffing with data from a prior MyHeritage breach and exploited a flaw in 23andMe’s 'DNA Relatives' feature.
- Attackers accessed ancestry reports, genetic matches, and health-related data, remaining undetected for five months.
- Stolen data from one million users was advertised for sale on the dark web, specifically targeting AAPI and Jewish communities.
- California alleges 23andMe paid $400,000 in cryptocurrency ransom and misled customers about the breach, violating state privacy and consumer protection laws.
Canto visual news explainer. AI tools may assist production. Editorial policy





