California Attorney General Rob Bonta sued Chrome Holding Co. on Thursday, accusing the company formerly known as 23andMe of failing to protect user data in a 2023 cyberattack that linked to nearly 7 million customers.
The complaint alleges attackers used credential stuffing to access roughly 14,000 accounts and stole data tied to almost 7 million people. Prosecutors say the intruders used credentials lifted from a massive October 2017 breach of MyHeritage, operated undetected inside the company's systems for more than five months and began offering the stolen records for sale on the dark web in October 2023.
The material for sale, the suit says, included raw genetic files, health reports, DNA shared with relatives and identifying details such as locations and birth years of relatives. A dark-web poster claimed about 1.1 million of the exposed consumers were Asian-Pacific Islander and Ashkenazi Jewish users. The complaint contends these are not abstract privacy losses but sensitive, long-lived personal details tied to ancestry and health.
For readers asking what is a data breach, the lawsuit answers with method and consequence: attackers gained unauthorized access by reusing compromised credentials without authorization and then monetized the data on the dark web. The company has acknowledged that customer profile information shared through its DNA Relatives feature was accessed and said it required two-step verification and new passwords after the incident.
Bonta framed the filing in stark terms, saying the conduct was dangerous and avoidable. He called the breach "disturbing and incredibly dangerous" and said the investigation found the company failed to take basic steps to protect users' data and later misled consumers about how serious the incident was. The suit alleges the company continued to downplay the severity of the breach after notifying the public.
The complaint places a central point of friction at the timeline. Chrome Holding Co. and its representatives have said they first discovered the compromise in October 2023 when the stolen files appeared for sale. Prosecutors counter that warning signs appeared months earlier: a suspicious spike in login attempts in July 2023 and a Reddit post in August suggesting a possible breach and sale of user records. The suit charges the company failed to investigate those red flags and only opened a full inquiry after the attacker demanded a ransom and listed the data online.
The legal filing comes after related fallout: the company agreed to a $30 million cash settlement in a class action tied to the incident, and the UK Information Commissioner's Office fined the firm £2.31m for unauthorized access to the personal data of 155,592 UK residents. The business now operates as Chrome Holding Co. following a bankruptcy filing and a sale last July to TTAM Research Institute, approved by a court in a transaction valued at $305 million.
Bonta's lawsuit asks the court to impose civil penalties and to order injunctive relief designed to prevent future lapses. The state has not yet secured a hearing date and the next procedural steps are pending. The unresolved question that animates the case — and the one consumers and regulators will press hardest — is how many of the nearly 7 million affected users had especially sensitive genetic or identity-linked records exposed in ways that could cause lasting harm.
