When DNA Is No Longer Private: California Sues 23andMe Successor Over Massive Data Breach

When you spit into a tube to uncover your ancestry or health risks, you expect that the blueprint of who you are will remain strictly confidential. But a massive data breach proved that even our most intimate information isn't entirely safe. In a major legal escalation, California Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co.—the company formerly known as 23andMe—for failing to protect the sensitive biological data of millions of customers.

The lawsuit revives the fallout from a devastating 2023 cyberattack that compromised the personal and genetic information of roughly 6.9 million users in the United States. While the corporate name has changed following bankruptcy proceedings, the legal and ethical responsibility has not.

What Happened in the Breach?

The hacking method used was a common trick known as "credential stuffing." Cybercriminals took usernames and passwords that had been stolen from completely unrelated websites and tried them on 23andMe. Because many users reuse passwords, the hackers successfully broke into a subset of accounts.

However, the damage didn't stop there. By infiltrating those few accounts, hackers were able to scrape the data of millions of other users through the platform’s opt-in "DNA Relatives" tool—a feature designed to connect people with biological relatives. The stolen cache included names, birth years, family trees, and detailed genetic percentages showing geographic ancestry and health predispositions.

Blaming the Victims: The Legal Fuse

What turned this data breach into a landmark legal battle wasn’t just the security failure, but how the company handled it. Following the hack, 23andMe initially deflected blame, arguing that the breach was the fault of negligent customers who recycled their passwords.

California’s Attorney General strongly disagreed. The state's lawsuit alleges that the company failed to maintain reasonable security measures to safeguard exceptionally sensitive biological profiles. Furthermore, the state argues that the company downplayed the severity of the incident, dismissively suggesting that the stolen genetic data was essentially public information anyway.

The Ethical Minefield of Stolen DNA

Unlike a stolen credit card number, you cannot cancel your DNA. You cannot change your genetic code if it falls into the wrong hands. This permanence is what makes the 23andMe breach an ethical nightmare.

The ethical concerns deepen when looking at how the stolen data was handled on the dark web. Hackers compiled and sold targeted lists of users based specifically on their ethnicity, explicitly isolating groups like individuals of Ashkenazi Jewish heritage and Chinese ancestry. In an era of rising online hate speech and targeted violence, weaponizing someone's genetic heritage poses a profound physical and psychological safety risk.

Furthermore, genetic data is inherently communal. When you opt into a feature like "DNA Relatives," your choices affect your parents, siblings, children, and cousins. Millions of people who practiced perfect cybersecurity hygiene still had their data stolen simply because a distant relative reused a password. This raises a pressing ethical dilemma: Do corporations have a heightened moral obligation to protect data that belongs not just to an individual, but effectively to an entire family line?

What Happens Next?

As Chrome Holding Co. navigates the legal fallout, the lawsuit serves as a fierce warning to the entire digital health industry. It signals that regulators will no longer accept corporate finger-pointing when it comes to data protection.

For everyday consumers, the case is a sobering reminder of the trade-offs involved in modern convenience and curiosity. Discovering your roots is fascinating, but once your genetic blueprint leaves your hands, ensuring its privacy is a battle fought in the courts.

For more context on how consumers reacted to the initial fallout of this security crisis and the corporate restructuring, you can watch this report on Customers concerned about personal data amid bankruptcy, which highlights the growing public anxiety surrounding the long-term safety of genetic information.

Learn more about Genetic privacy — who owns your DNA once you submit a sample, what GINA does and does not protect, what the 23andMe bankruptcy of 2025 meant for customer data, and how forensic genetic genealogy works. What to do about all of it is in the Kinnara Fund's book Your DNA, Your BluePrint: Understanding Your Genome, Your Health Risks, and the Power You Hold to Shape Your Own Biology. available on Amazon.