California Sues 23andMe Over 2023 Genetic-Data Breach, Accuses Firm of Misleading Consumers

California Attorney General Rob Bonta sued the companies formerly known as 23andMe on Wednesday, alleging they failed to protect highly sensitive genetic and ancestry data in the 2023 breach that affected nearly 7 million users, including about 855,541 Californians, and then misled consumers about what happened.

The lawsuit, filed in San Francisco Superior Court by the People of the State of California, names Chrome Holding Co., formerly 23andMe Holding Co., and ChromeCo, Inc., formerly 23andMe, Inc. Bonta announced the case May 28.

The suit targets one of the biggest direct-to-consumer genetics companies, which collected saliva samples to generate ancestry and health-related reports. That makes the breach especially sensitive: the data at issue can reveal ancestry, ethnicity, family relationships and health predispositions. California alleges not only that the company failed to use reasonable security for that information, but also that it downplayed the breach in public statements.

“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach,” Bonta said in a statement.

According to the complaint and the company’s own 2023 public update, attackers first gained access to roughly 14,000 accounts using login credentials reused from earlier breaches elsewhere — a tactic known as credential stuffing, in which attackers try stolen username-and-password pairs across multiple services. The state says 23andMe failed to detect or stop that well-known kind of attack.

From there, the complaint alleges, attackers used 23andMe features including DNA Relatives and Family Tree to reach data linked to millions more profiles. In an October 2023 public post, 23andMe said about 5.5 million DNA Relatives profiles and 1.4 million Family Tree profiles were accessed.

The complaint alleges the company ignored known risks tied to credential reuse after the earlier MyHeritage breach, even though 23andMe had encouraged users to create MyHeritage accounts. It also alleges a coding flaw in the DNA Relatives feature helped attackers pull additional identifying, ancestry and relationship data.

Among the suit’s most serious claims is that the stolen data was later offered for sale on the dark web. The complaint alleges those listings included targeted data involving about 1.1 million people with Ashkenazi Jewish heritage and hundreds of thousands of people with Chinese ancestry.

Bonta said, “Our investigation found that the company failed to take basic steps to protect users’ data — data including the sensitive personal information, family histories, and health conditions of consumers.”

A central piece of the case is California’s claim that the company misled users before and after the breach: before it happened by touting strong security practices, and afterward by minimizing the incident. In its Oct. 6, 2023, blog post, 23andMe said, “We do not have any indication at this time that there has been a data security incident within our systems.”

California now argues that framing was misleading. The complaint further alleges that while making those public statements, the company was also negotiating with the threat actor and made payments tied to removing damaging information and obtaining information about vulnerabilities. Those claims are allegations in the complaint and have not been proven in court.

The state alleges violations of California’s Genetic Information Privacy Act, reasonable data security law, False Advertising Law, Unfair Competition Law and the California Consumer Privacy Act.

The attorney general’s office said this case is separate from California’s pending challenge in the company’s bankruptcy case over the proposed sale of Californians’ genetic data and biological material. 23andMe filed for Chapter 11 protection in March 2025.

The lawsuit opens a new front in the fallout from the 2023 breach, shifting the focus from the company’s earlier public description of a credential-stuffing attack to California’s broader claim that it failed to safeguard genetic data and misled users about the extent of the damage.