Nearly 7 million people discovered their most intimate biological secrets were stolen and sold on the dark web—including 855,000 Californians whose genetic predispositions and family connections became commodities for criminals.
California Attorney General Rob Bonta announced a lawsuit against Chrome Holding Company, the entity that emerged from 23andMe’s bankruptcy, alleging the company failed to protect users’ genetic information and then lied about it.
From Password Reuse to Genetic Profiling
A small credential stuffing attack snowballed into massive genetic data exposure through social features.
The breach started with something embarrassingly simple: attackers used passwords stolen from other sites to access roughly 14,000 23andMe accounts where users had recycled credentials. But here’s where it gets worse than your typical data breach.
Those compromised accounts became keys to unlock the DNA Relatives feature, exposing genetic profiles of 6.9 million additional users who never reused a password or skipped two-factor authentication.
Your genetic code doesn’t get a password reset. Once exposed, data revealing health risks, ancestry, and biological relationships becomes permanent. The stolen information included:
- Genetic predispositions
- Family trees
- Ethnicity data
Details that could affect everything from insurance coverage to personal safety.
Corporate Deception While Paying Ransom
23andMe publicly downplayed the breach while secretly negotiating with hackers.
According to Bonta’s complaint, 23andMe paid a $400,000 cryptocurrency ransom to the attackers while telling users the incident was limited. “Instead of protecting their customers, 23andMe left them vulnerable to an attack and then lied to consumers about it,” Bonta stated.
The company allegedly violated:
- California’s Genetic Information Privacy Act
- Consumer protection laws
- Fair business practices regulations
The targeting gets darker: criminals marketed the stolen data specifically as belonging to Asian American, Pacific Islander, and Jewish users during a period of rising hate crimes against these communities. Bonta called this “disturbing and incredibly dangerous“—genetic information weaponized for potential discrimination.
International Regulatory Pile-On
UK and Canadian authorities imposed millions in penalties for inadequate security.
This isn’t just California’s fight. The UK’s Information Commissioner’s Office fined 23andMe £2.31 million for failing to protect 155,592 British users’ data, while Canadian regulators reached similar conclusions. These international enforcement actions establish that genetic data requires heightened security measures beyond standard tech industry practices.
The company’s bankruptcy and rebrand as Chrome Holding won’t shield it from these legal consequences. Users still struggling to delete their accounts face the reality that their genetic information may become part of a corporate asset sale, adding another layer of uncertainty to an already compromised situation.
