23andMe successor sued by California AG over 2023 data breach

Chrome Holding is facing a lawsuit stemming from a data breach faced by its predecessor.

What happened

California Attorney General Rob Bonta recently filed a lawsuit against the firm Chrome Holding, a rebranding of 23andMe. The suit followed a lengthy probe throughout 2023 and stemmed from a massive breach that exposed data from nearly 7 million users. The complaint was filed in the San Francisco Superior Court on May 28th.

In his press release, Bonta noted that the data breach was particularly dangerous, as the threat actors posted the information on the dark web and specified that it included information from Asian American Pacific Islanders and Jewish users at a time when, according to Bonta, there was “mounting anti-Asian American and Pacific Islander and antisemetic hate and violence.”

Going deeper

The incident led to long-lasting international regulatory scrutiny and was caused by credential stuffing, which takes place when attackers use passwords previously exposed in breaches. The scrutiny led to a host of investigations. According to BBC, one of the United Kingdom’s watchdogs, The Information Commissioner’s Office (ICO), fined the company £2.31 million in 2025, stating that 155,592 UK residents had their data accessed. The fine, alongside a crash in investments, led the company to declare bankruptcy, also in 2025, and rebrand to Chrome Holding, which conducts DNA testing.

What was said

According to Bonta’s press release, although 23andMe “publicly touted its commitment to data privacy and transparency, in truth, it failed to take reasonable measures to protect its customers’ most sensitive data, ignored known vulnerabilities in its systems, and failed to properly investigate or respond to numerous warnings that its systems had been compromised.”

The release added that 23andMe “misled its customers and the public regarding crucial aspects of the 2023 data breach.”

In the know

Bonta outlined California’s investigation into the issue, which took place throughout 2023. The investigation found that 23andMe only began investigating the incident after data was found on the dark web. Among other allegations, investigators said the company:

• Missed multiple opportunities to detect the attack.
• Failed to guard against the exploitation of a coding error that allowed doctored queries into the company’s database
• Failed to properly account for the sensitivity of genetic data in their security protocols.
• 23andMe repeatedly denied the incident had taken place and omitted key details.

Overall, Bonta’s lawsuit argues that 23andMe violated California’s Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act, among others.

The big picture

Lawsuits like these are designed to hold organizations accountable for massive data breaches and show how, even after years, a bankruptcy filing, and a rebranding, organizations can still be held responsible for poor leadership and decision-making.

Few data breaches have been as major or global, although the case is comparable to the 2025 breach at Episource, which impacted 5.4 million individuals in 2025 and continues to have lawsuits pending. Some larger breaches also exist, like the Change Healthcare incident in 2024 (impacting 190 million individuals) or the breach against Kaiser Permanente in 2024 (impacting 13.4 million). Nevertheless, genetic data can be particularly vulnerable, especially in a time of rising hate-crime and division. Accountability can be difficult to achieve, and although it may take years, the lawsuit is a reminder that just because an issue may no longer be in the news, legal action may still be in progress.

FAQs

How can credential stuffing be prevented?

Credential stuffing is one of the more preventable attack strategies, because it relies on individuals reusing previous passwords. When individuals differentiate their passwords, it’s much more difficult to use this strategy. For organizations, they should emphasize that differentiating passwords is a critical safety measure.

Can an organization be sued if they go bankrupt?

Bankruptcy can dramatically slow down the litigation process, as the process to claim money changes. However, an organization that goes bankrupt and then rebrands can still be found financially responsible. The process may be more time-consuming and drawn out.