Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
California’s attorney general has filed a lawsuit against the consumer genetics testing company formerly known as 23andMe, alleging that the company failed to protect customers’ sensitive personal information in a massive 2023 data breach that exposed the ancestry and genetic data of nearly 7 million people.
Attorney General Rob Bonta filed a lawsuit Thursday in San Francisco Superior Court against Chrome Holding, formerly known as 23andMe, accusing the company of failing to properly investigate or respond to numerous warnings that its systems had been compromised. The self-test kits that the company mails out have become synonymous with DNA test Before declaring bankruptcy in 2025.
In 2023, cybercriminals breached 23andMe’s systems using “Credential stuffing attack“, which involves bombarding online accounts with huge sets of usernames and passwords stolen in previous, unrelated attacks. Over the course of months, hackers were able to steal the personal data of more than 6.9 million people.
“23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for more than five months, and, remarkably, 23andMe only initiated an investigation after the threat actor offered stolen user data for sale on the dark web and contacted 23andMe to demand a ransom,” Bonta’s office said in the complaint.
The San Francisco-based company, which allowed people to submit genetic material and get a snapshot of their ancestors, open In October 2023, hackers gained access to customer information in a long data breach that targeted customers of Chinese or Ashkenazi Jewish descent. The stolen data of more than a million Asian Pacific Islander and Ashkenazi Jewish users was later posted for sale on the dark web.
“This data was sold on the dark web amid a period of rising anti-Semitic hatred and violence toward Americans and Pacific Islanders,” Bonta said in a press release. “This is very worrying and dangerous.”
A January 2024 lawsuit accused the company of not doing enough to protect its customers and not notifying certain customers that their data had been specifically targeted. It later settled the lawsuit for $30 million.
23andMe representatives did not immediately respond to a request for comment.
At its peak, 23andMe became the hottest name in the emerging field of DNA self-testing, with users paying upwards of $99 for kits that gave them insight into their genetic makeup and potential relatives and ancestors. But the company’s momentum has slowed in recent years after its $3.5 billion IPO in 2021.
Last July, the TTAM Research Institute, a nonprofit led by Anne Wojcicki, 23andMe co-founder and former CEO, acquired 23andMe’s assets for $305 million.
