You trust a company with your social security number, it's bad if they lose it. You trust them with your literal genetic blueprint, and it's a completely different level of terrifying. That is why California Attorney General Rob Bonta just threw down a massive lawsuit against Chrome Holding Co.—the company formerly known as 23andMe.
The state is coming down hard on the DNA-testing giant for its handling of a infamous 2023 cyberattack that compromised the data of nearly 7 million people. If you thought this saga wrapped up when the company hit bankruptcy or settled its class-action suits, think again. This new legal battle exposes gross negligence, ignored warning signs, and a shocking attempt to deflect blame onto the victims. Meanwhile, you can explore other stories here: What Most People Get Wrong About China Longest Space Mission.
The Illusion of Security at 23andMe
The lawsuit filed in San Francisco Superior Court paints a damning picture of what was actually happening behind the scenes. According to the state of California, the genetic testing company failed to meet basic security standards for information as highly sensitive as health profiles and raw DNA sequences.
Hackers managed to infiltrate about 14,000 accounts using a technique known as credential stuffing. This happens when cybercriminals take usernames and passwords leaked from other websites and try them on different platforms. It relies entirely on the common human habit of reusing passwords. To understand the bigger picture, we recommend the recent analysis by Gizmodo.
The real disaster happened because of how 23andMe structured its system. Once hackers got into those initial 14,000 accounts, they exploited a critical coding error in the popular DNA Relatives feature. This feature allows users to opt in and find family matches. Because of that security flaw, a few compromised accounts became a wide-open backdoor. The threat actors extracted the personal info, ancestry records, and genetic risk profiles of 6.9 million people across the country. That included 855,541 California residents.
Five Months of Absolute Silence
The details uncovered by the California Department of Justice investigation show a spectacular failure to look at what was happening inside their own house. Hackers were moving completely undetected inside 23andMe's systems for more than five months.
Think about that. Five months of bad actors rummaging through raw genetic details, health predispositions, and family trees.
The company did not catch the intrusion through network monitoring. They only started investigating after the hacker literally reached out to demand a ransom and posted the stolen database for sale on the dark web. The state's complaint points out multiple glaring red flags the company managed to ignore completely:
- July 2023: A massive, highly suspicious spike in user login attempts occurred, a classic signature of a credential stuffing attack.
- August 2023: A public Reddit post detailed a potential 23andMe data breach and the illicit sale of user records.
- Historical Vulnerabilities: Years earlier, in 2017, a former 23andMe partner named MyHeritage suffered a massive breach. The attackers used credentials from that exact 2017 leak to crack open 23andMe accounts. Yet, the company never forced a global password reset or required multi-factor authentication (MFA) to close the loop.
Even more disturbing is the dark web marketing of the stolen data. The threat actor explicitly highlighted to buyers that the dataset contained detailed records belonging to over a million people of Asian-Pacific Islander and Ashkenazi Jewish descent. Selling this highly specific genetic identifying information during a time of rising antisemitic and anti-AAPI hate crimes wasn't just a digital security failure. It created real, physical anxiety for millions of families.
Gaslighting Consumers and Evading Accountability
When news of the hack broke in late 2023, 23andMe didn't exactly handle it with transparency. In fact, California alleges they flat-out lied.
The company repeatedly made public statements claiming there was no breach of its actual systems. They tried to shift the blame entirely to the customers, essentially saying, "It's your fault for reusing passwords." They claimed the DNA Relatives data was basically public information anyway because users opted into the feature.
Behind closed doors, it was a different story. The lawsuit reveals the company was engaged in covert negotiations with the hacker over a ransom payment while publicly acting like everything was under control.
This corporate finger-pointing didn't hold up in court. The company agreed to a $50 million class-action settlement to resolve U.S. consumer claims, which received final approval during their Chapter 11 bankruptcy proceedings. But this new state lawsuit hits them where it hurts even more: statutory penalties. California wants $1,000 for every single violation of the Genetic Information Privacy Act, plus up to $7,500 for intentional violations or those involving minors. We are talking about potential fines running deep into the millions.
What Happens to Your DNA Data Now
The company filed for bankruptcy protection and rebranded under Chrome Holding Co. If you have ever spat into one of those plastic tubes, you're probably wondering what you should do right now to lock down your personal information. Don't panic, but you need to act.
Force a Security Update on Your Account
If you haven't logged into your account recently, do it today. Switch on two-factor authentication immediately. The company didn't mandate this until November 2023, well after the damage was done. Pick a completely unique, strong password. Better yet, use a dedicated password manager so you stop reusing credentials across different sites.
Download and Delete Your Data
You have the right to request the deletion of your account and your genetic data under the California Consumer Privacy Act (CCPA) and similar state privacy laws. Go into your account settings, request a download of your raw DNA data for your own records if you want it, and then submit a formal deletion request.
Monitor for Targeted Phishing
Because hackers know your ancestry and family connections, they can craft highly sophisticated phishing emails. Be incredibly skeptical of any random emails claiming to be a newly discovered cousin or a medical research group asking for follow-up health information. Check the sender's actual email address before clicking any links.
