Chrome Holding Co., the corporate previously often called 23andMe, is facing a lawsuit filed by California Legal professional Normal Rob Bonta over a massive security breach in 2023 that compromised hundreds of thousands of individuals’s delicate knowledge. Bonta is accusing the corporate of deceptive clients and failing to guard their “delicate private info and genetic knowledge associated to their well being, genetic predispositions and danger components, organic relations, ancestry and ethnicity.” The incident had affected 7 million customers throughout the US, the lawsuit stated, 855,541 whom have been California residents.
23andMe, which provided clients DNA testing kits to allow them to discover out their ancestral origins and genetic well being dangers, admitted again in 2023 that unhealthy actors have been capable of entry customers’ accounts via credential stuffing. Bonta argued that corporations, particularly one which collects genetic knowledge, ought to know to protect in opposition to such a standard technique of cyberattack.
In 23andMe’s case, the hacker apparently used credentials stolen in earlier knowledge breaches, together with from an assault on MyHeritage, one other family tree web site that 23andMe labored with. Bonta says that although 23andMe was conscious of the breach on MyHeritage, it by no means checked or prevented customers from reusing their credentials. That is notably noteworthy, as a result of 23andMe allegedly inspired its customers to join a MyHeritage account, as nicely.
It wasn’t simply credential stuffing that allowed the unhealthy actors to steal hundreds of thousands of personal info. After utilizing the assault technique to interrupt into 14,000 accounts, they then exploited a vulnerability within the web site’s DNA Family characteristic to entry knowledge from extra clients. Bonta stated the corporate’s safety measures have been so lax, the hackers have been capable of function undetected inside its system for 5 months. He added that the corporate solely began investigating after the unhealthy actors had already began promoting stolen person knowledge on the darkish net and demanding a ransom.
Bonta accused 23andMe of omitting important info when it knowledgeable clients in regards to the breach. He stated the corporate downplayed the sensitivity of the stolen knowledge and claimed that the DNA Family characteristic was “basically public,” all whereas it was secretly negotiating with the unhealthy actors who have been highlighting the inclusion of details about Asian American and Pacific Islanders, in addition to Jewish customers, within the dataset they have been promoting.
“The sale of this knowledge on the darkish net befell amidst a interval of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly referred to as consideration to the deeply private and figuring out nature of that info,” Bonta wrote. “That is disturbing and extremely harmful.”
23andMe filed for bankruptcy in March 2025. As AP notes, it additionally confronted a class-action lawsuit that accused the corporate of failing to guard its clients, and a choose overseeing its chapter had accepted a $50 million settlement earlier this yr.
