California AG Sues 23andMe Over 2023 Genetic Data Breach

Genetic data does not change. The credit card you lost in the 2024 holiday season is replaced; the DNA strand the same hackers downloaded is still you, your siblings, your parents, your children, and everyone you will ever be related to. California's lawsuit, filed almost three years after the breach itself, is the first regulator action under the state's Genetic Information Privacy Act that targets the company instead of accepting a class action settlement as closure.

Key Takeaways

• California Attorney General Rob Bonta filed a civil suit against Chrome Holding Co.—23andMe's post-bankruptcy corporate name—in San Francisco Superior Court on May 28, 2026.
• The complaint cites violations of the California Genetic Information Privacy Act, the Reasonable Data Security Law, the False Advertising Law, the Unfair Competition Law, and the California Consumer Privacy Act.
• The 2023 breach used credentials leaked in the 2017 MyHeritage breach to compromise about 14,000 23andMe accounts via credential stuffing, then exploited the DNA Relatives sharing feature to expose data on 7 million users.
• The attackers specifically dumped lists targeting roughly 1.1 million Asian-Pacific Islander consumers and Ashkenazi Jewish consumers, which Bonta said "took place amidst a mounting period of hate and violence" against those communities.
• The intrusion went undetected for over five months despite a July 2023 spike in suspicious logins and an August 2023 Reddit post warning of the breach—23andMe did not acknowledge the incident until October 2023.

What Did 23andMe Allegedly Do Wrong?

Bonta's complaint argues that 23andMe failed three separate duties at the same time. First, the company did not require multi factor authentication or rate limit logins, which made credential stuffing trivial. Second, the DNA Relatives feature—which lets users opt in to view distant family connections—was structured so that compromising one account exposed the data of every relative who had ever matched, multiplying 14,000 compromised accounts into 7 million affected people. Third, the company kept assuring customers that their genetic information was secure even after the breach indicators were sitting in its own logs.

According to KPBS's reporting on the filing, the suspicious login spike began in July 2023. A Reddit post warning that 23andMe credentials were circulating on cybercrime forums appeared in August 2023. The company did not publicly disclose the incident until October 2023, by which point the data had already been offered for sale by handles like "Golem" who specifically advertised "Ashkenazi" and "Chinese" subsets.

Why Is the AG Suing the Bankruptcy Shell?

23andMe filed for Chapter 11 bankruptcy in March 2025 and reorganized as Chrome Holding Co. before a settlement and emergence approved in January 2026. The bankruptcy reorganization is precisely the maneuver companies use to wall off pre-existing liabilities, but it does not automatically extinguish state regulator claims for civil penalties. By suing Chrome Holding Co. directly, the California Attorney General is testing whether a post-bankruptcy successor can be held responsible for the security failures of the predecessor entity, particularly when the data assets that gave rise to the violation transferred to the successor as part of the reorganization.

This matters as a precedent. There is a growing pattern in privacy enforcement where companies use Chapter 11 to discharge mass claims at cents on the dollar—the original 23andMe class action settled for $30 million in 2024, increased to $50 million in the January 2026 reorganization, but the genetic data of seven million people is worth a great deal more than $7 each. If California succeeds in extracting "multiple millions" in civil penalties from Chrome Holding Co., other state attorneys general will follow with their own actions against the same shell.

Which Laws Does the Complaint Actually Invoke?

Bonta's complaint cites five separate statutory frameworks, which is unusual and signals the AG's intent to maximize penalty exposure:

• California Genetic Information Privacy Act (GIPA): California's specific statute on direct-to-consumer genetic testing companies, which requires baseline security and explicit consent for data sharing.
• Reasonable Data Security Law: California Civil Code §1798.81.5, which requires reasonable security procedures and practices appropriate to the nature of the information.
• False Advertising Law (FAL): For marketing that allegedly continued to claim genetic data security while the breach was ongoing.
• Unfair Competition Law (UCL): California Business and Professions Code §17200, the AG's broad enforcement vehicle for "any unlawful, unfair or fraudulent business act or practice."
• California Consumer Privacy Act (CCPA): For the underlying notice and security failures and any unauthorized data disclosure.

Stacking five claims allows the AG to seek per-violation penalties under multiple regimes for the same underlying conduct. UCL penalties run up to $2,500 per violation; CCPA penalties are up to $7,500 per intentional violation. With 7 million affected residents, even a fractional finding produces what Bonta described in a press conference as potentially "multiple millions" in civil penalties.

What Makes the Targeted Lists So Disturbing?

The 2023 23andMe breach was not generic data theft. The attackers compiled and offered for sale specific ethnic subsets: a list of approximately 1.1 million Asian-Pacific Islander 23andMe customers, and a separate list of Ashkenazi Jewish customers. Those lists are not extracted by accident. They are produced by querying the DNA Relatives connections of a small number of compromised accounts to surface the wider community network, then exporting the resulting demographic segment.

Bonta's office tied the breach directly to a "mounting period of hate and violence" against the targeted communities. Genetic information that explicitly identifies someone as Jewish or as a member of a specific Asian-Pacific Islander heritage has a long history of being weaponized—the data has obvious utility for anyone running harassment, doxxing, or hate-motivated targeting at scale. The same risk model shows up in the Lithuania state register case and in other state actor data theft, where the demographic specificity of the leaked records is the point, not a byproduct. See also Lithuania's 600K registry breach for a comparable demographic targeting risk in a different context.

What Should 23andMe Customers Do Now?

If you ever tested with 23andMe, three actions are worth taking regardless of how the California lawsuit resolves:

1. Request deletion of your data and destruction of your sample. Both rights are available under California GIPA and other state genetic privacy laws. Submitting the request creates a paper trail and removes future replication of your data into successor entities.
2. Turn off DNA Relatives sharing. If you still have an active account, opting out of the family matching feature limits the secondary exposure that lets a single account compromise cascade across your entire family network.
3. Watch your inbox. Scammers who hold genetic and demographic data craft highly personalized phishing—messages that reference your heritage, your relatives by name, or "match alerts" about a relative. Tracking pixels embedded in those messages confirm the address is live before the targeted follow up. Gblock blocks the invisible pixels in marketing and phishing emails so the next message in the sequence never gets aimed at you with confidence.

The Pattern Beyond California

Texas, Connecticut, and Washington all have their own genetic privacy statutes and active enforcement postures. Texas in particular has filed parallel surveillance and data abuse claims against major platforms, and Connecticut's Connecticut Data Privacy Act now contains explicit enforcement reporting. Once California establishes that a post-bankruptcy shell is reachable for predecessor security failures, expect each of those AGs to follow with similar actions inside ninety days. The era of using Chapter 11 to discharge data protection liability is closing.