California sues 23andMe shell after genetic data scrape

California Attorney General Rob Bonta filed suit on May 27, 2026, in San Francisco Superior Court against Chrome Holding Co., the corporate shell left after 23andMe’s bankruptcy, alleging security failures and misleading statements around a 2023 data breach.

The complaint says attackers used credential‑stuffing techniques on 23andMe’s login page in 2023 and remained inside the systems for about five months before detection. Roughly 14,000 accounts were directly accessed using reused credentials, the filing says. The intruders then exploited a coding error in the company’s DNA Relatives feature to collect genetic and profile data from just under seven million customers who had opted into that service.

The lawsuit describes the coding flaw as allowing the attackers to pivot from the initially compromised accounts and scrape information on users connected through kinship matching. The complaint lists exposed items including genetic ancestry details and profile data. It says some records posted for sale on the dark web identified groups such as Asian American Pacific Islander and Jewish customers, and notes concerns about targeted harm given a contemporaneous rise in antisemitic violence.

After the breach became public, 23andMe sent a letter to victims’ lawyers blaming some exposure on users who reused passwords and saying shared data had been provided voluntarily and would not cause “pecuniary harm,” the complaint recounts. Bonta’s office argues the company’s product design and security failures produced the broader exposure.

California is seeking statutory penalties of $1,000 to $7,500 per violation under state law. The complaint identifies 855,541 affected Californians among the total of nearly seven million users whose data was taken, a figure that would increase potential fines if the court applies the full statutory range per violation. The filing also alleges the company made misleading statements about its security practices.

23andMe filed for Chapter 11 in March 2025 and sold most assets, including genomic data on more than 15 million customers, to TTAM Research Institute, a nonprofit founded by former CEO Anne Wojcicki. Chrome Holding Co. retained remaining assets and received $305 million from that sale. Several states opposed the transfer under the Genetic Information Privacy Act; a federal bankruptcy judge approved the sale and the states are appealing.

Regulators and courts have acted in other jurisdictions. The U.K. Information Commissioner’s Office fined the company £2.31 million following an investigation, and a U.S. class‑action settlement covering most customer claims was approved for $50 million in January 2026 after an initial $30 million deal.

Customers who used 23andMe have been advised to reset any passwords reused on other sites, enable multi‑factor authentication where offered and watch for phishing attempts that reference the company or the breach. The complaint notes that while passwords can be changed, genetic information cannot be recovered once exposed.

The lawsuit seeks to hold Chrome Holding Co. accountable for the alleged security failures and misleading statements and will test whether statutory damages can be recovered from the corporate shell that retains proceeds from the asset sale.