Daniel Mercer
Chrome Holding Co., previously known as 23andMe, is under legal scrutiny following a lawsuit initiated by California Attorney General Rob Bonta. This lawsuit stems from a significant security breach in 2023, which compromised the sensitive data of millions of individuals. Bonta alleges that the company misled its customers and failed to adequately safeguard their “sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry, and ethnicity.” According to the lawsuit, the breach affected 7 million users nationwide, including 855,541 residents of California.
23andMe, a provider of DNA testing kits that allow consumers to discover their ancestral background and genetic health risks, acknowledged in 2023 that malicious actors accessed user accounts through a method known as credential stuffing. Bonta contends that companies, especially those handling genetic information, should be vigilant against such prevalent cyberattack techniques.
In this specific incident, the hacker utilized credentials obtained from earlier data breaches, including a notable attack on MyHeritage, another genealogy platform that collaborated with 23andMe. Bonta points out that 23andMe was aware of the MyHeritage breach but failed to take precautions to prevent users from reusing compromised credentials. This oversight is particularly significant as 23andMe had encouraged its users to establish accounts with MyHeritage.
Credential stuffing was not the sole method that enabled these cybercriminals to access sensitive information. After breaching 14,000 accounts using this technique, the attackers exploited a vulnerability within the website’s DNA Relatives feature to access additional user data. Bonta emphasized that the company’s security measures were alarmingly insufficient, allowing hackers to remain undetected within the system for five months. He noted that the investigation only began after the criminals had already started selling the stolen data on the dark web and were demanding ransom payments.
Bonta criticized 23andMe for withholding essential details when notifying customers about the breach. He stated that the company minimized the severity of the stolen data and claimed that the DNA Relatives feature was “essentially public,” all while secretly negotiating with the perpetrators, who highlighted the sensitive nature of the dataset, including information about Asian American and Pacific Islander individuals, as well as Jewish users.
“The sale of this data on the dark web occurred during a time of increasing anti-Asian American and Pacific Islander sentiments and antisemitic violence — and explicitly drew attention to the deeply personal and identifying nature of that information,” Bonta remarked. “This situation is both troubling and exceptionally dangerous.”
In March 2025, 23andMe filed for bankruptcy. As reported by AP, the company was also facing a class-action lawsuit alleging it failed to protect its customers. A judge managing the bankruptcy proceedings had approved a $50 million settlement earlier this year.
Ethan Carter
