California Attorney General Rob Bonta is suing Chrome Holding Co., the parent company of 23andMe, following a massive 2023 security breach. The lawsuit alleges the firm failed to protect sensitive genetic data and misled customers about the incident. Hackers compromised accounts using credential stuffing, a method involving stolen passwords from other sites like MyHeritage to gain unauthorized access.

Bad actors exploited a vulnerability in the DNA Relatives feature to expand their reach beyond the initial 14,000 breached accounts. This allowed them to access data for roughly 7 million users nationwide. Bonta claims the company's security was so weak that hackers operated undetected for five months, only triggering an investigation once stolen data appeared on the dark web.

Legal troubles for the genealogy firm have intensified since the breach. The company filed for bankruptcy in March 2025 after facing significant legal pressure. A judge previously approved a $50 million settlement regarding a separate class-action lawsuit. This new state action specifically targets the company's failure to secure highly personal information regarding ancestry, ethnicity, and health risks.