California AG Sues 23andMe Over Alleged Ransom Negotiations and Deception in 6.9M Record Breach

California Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, on May 28, 2026. The complaint alleges severe security failures that enabled a 2023 credential-stuffing attack, exposing the genetic and health data of approximately 6.9 million individuals. Furthermore, the AG alleges the company issued misleading public statements while simultaneously negotiating with the attacker. The lawsuit sets a critical precedent for the health-tech sector: it marks the first time a state AG has sued a genetic testing company for specific violations of California’s Genetic Information Privacy Act (GIPA).

Anatomy of a Breach: From 14,000 Accounts to 6.9 Million Records

The attack began with credential stuffing, a technique leveraging credentials stolen in previous third-party breaches. According to the California AG’s office, attackers utilized passwords leaked in the 2017 MyHeritage breach—a service 23andMe had actively encouraged its own users to use. Despite this known risk, 23andMe failed to mandate password resets or multi-factor authentication (MFA) following that incident.

The 14,000 directly compromised accounts were merely the entry point. Attackers exploited a vulnerability linked to a "critical coding error" in the application's "DNA Relatives" feature, which allowed for manipulated database queries. This mechanism amplified the impact from thousands of compromised accounts to approximately 6.9 million records, including 855,541 California residents. The dossier does not specify the precise technical nature of the vulnerability; no CVE or structured advisory appears in the examined documentation.

"23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach." — California Attorney General Rob Bonta

Five Months of Invisibility and Ignored Red Flags

The timeline reveals systemic security latency. The threat actor operated undetected within 23andMe’s systems for more than five months. During this window, several warning signs went uninvestigated: a spike in suspicious logins in July 2023 and a Reddit post in August 2023 discussing a potential breach and the sale of user data.

23andMe initiated an investigation only after the attacker explicitly offered the stolen data for sale on the dark web and contacted the company to demand a ransom. The data for sale was advertised as belonging to users of Asian American Pacific Islander (AAPI) and Ashkenazi Jewish descent—ethnic targeting that led Bonta to describe the episode as "disturbing and incredibly dangerous" amid rising anti-AAPI and antisemitic violence.

The Double Game: Ransom Negotiations and Misleading Communication

The core of the AG’s legal strategy focuses on corporate behavior rather than technical failure. The official statement documents that 23andMe was "simultaneously negotiating with the threat actor... while 23andMe assured the public that it had not experienced a data security incident." This simultaneity is the most significant legal aggravating factor: the combination of clandestine negotiations and public denial is interpreted as a violation of the False Advertising Law and Unfair Competition Law, as well as an escalation of the Reasonable Data Security Law violation.

According to the prosecution, the company’s public statements not only minimized the incident but explicitly shifted blame to users, citing weak or reused passwords. The AG counters this defense by arguing that the absence of mandatory MFA, effective rate limiting, and anomaly detection constituted an "unreasonable" failure under California law, regardless of user behavior.

Why It Matters

The brief does not document specific corrective measures imposed or recommended by the primary source. The AG’s statement focuses on describing the identified deficiencies: the lack of mandatory MFA, the absence of effective rate limiting, the failure of anomaly detection, and the "coding error" in DNA Relatives. No detailed operational guidance on how the company should have implemented these controls is provided.

The source does not specify whether the AG’s lawsuit will influence the $50 million class-action settlement approved in January 2026, nor does it detail the outcome of the bankruptcy asset sale initiated in 2024. The two proceedings—the AG’s regulatory-criminal lawsuit and the Chapter 11 filing—remain separate. The identity of the threat actor and the exact details of the negotiations are not reported in the available sources.

The value of the case lies in the regulatory precedent. For the first time, a state prosecutor has applied the Genetic Information Privacy Act to a credential-stuffing breach, establishing that this type of attack is not an "acceptable incident" but a punishable security failure. This same logic—that special category data requires more stringent protection standards even against "common" threats like password reuse—previously resulted in a £2.31 million fine from the UK ICO regarding the 155,592 British residents affected by the same breach.

Context: Bankruptcy, Class Actions, and Fragmented Liability

23andMe filed for bankruptcy in 2024. Between 2024 and 2026, the company negotiated a class-action settlement that grew from $30 million to $50 million, receiving approval in January 2026. Attorney General Bonta’s lawsuit overlaps with this timeline but remains formally distinct, raising practical questions regarding the collection of penalties from an entity in liquidation.

The most relevant takeaway for the industry is the jurisdictional fragmentation of liability: one breach, three parallel enforcement actions (US class action, California AG, UK ICO) with differing punitive logics. For health-tech and biotech firms, this pattern indicates that the right to data portability and the reuse of genetic data—central to the DTC business model—is colliding with an increasingly layered accountability regime.

The narrative pivot suggested by the brief—the tension between crisis management and mandatory transparency for genetic data—finds its center in the ransom negotiations. It is not the technical compromise alone that determines legal severity, but the communicative choices that followed. In a sector where trust is the most volatile asset, the California AG has determined that undisclosed negotiations constitute an independent violation, not merely a moral failing.

Information is based on the cited source and is current as of the time of publication.

Sources

• https://www.bleepingcomputer.com/news/security/california-ag-sues-23andme-over-2023-breach-exposing-health-data/
• https://www.securityweek.com/california-sues-23andme-alleging-it-failed-to-protect-user-data-in-2023-breach/
• https://oag.ca.gov/news/press-releases/attorney-general-bonta-sues-chrome-holding-co-formerly-known-23andme-over-2023
• https://www.bbc.com/news/articles/crepleq2zyvo