California Attorney General Rob Bonta has hauled genetic-testing firm 23andMe into San Francisco Superior Court, accusing the company, now operating as Chrome Holding Co., of concealing the true scope of a 2023 cyberattack that exposed the ancestry and genetic information of nearly seven million customers. The complaint says the company failed to safeguard highly sensitive genetic and health data, misled users about what happened, and even negotiated with a threat actor while publicly downplaying how much was stolen. The filing marks a high-profile state enforcement move in an already long-running fight over who really controls Californians’ DNA.
What the state says
Bonta’s lawsuit alleges that 23andMe misrepresented the severity of the October 2023 incident and violated the California Consumer Privacy Act, the Genetic Information Privacy Act and the state’s unfair competition law, according to Reuters. The attorney general’s office also contends the company ignored repeated warnings that customer accounts were being targeted and that it negotiated with, and in some reporting paid, a threat actor while continuing to minimize the breach in its communications to customers, as reported by Bloomberg Law.
How the breach unfolded
According to security reporting and the company’s own notices, attackers relied on credential-stuffing, testing usernames and passwords that had already been exposed in other breaches, to break into accounts between spring and fall 2023. That quiet access allegedly let bad actors scrape ancestry reports, profile details and, in some cases, raw genotype files. 23andMe later acknowledged that roughly 6.9 million customers’ ancestry data had been exposed and that the intrusions went undetected for months, according to coverage by TechCrunch.
Bankruptcy and the wider data-sale fight
The new lawsuit lands in the middle of a larger scramble over the company’s future. 23andMe filed for Chapter 11 bankruptcy in March 2025, and more than two dozen states later sued to block any sale of its genetic database without explicit customer consent, arguing that DNA is uniquely sensitive, per the Associated Press. The company has defended how it handled both the breach and its data policies and previously told reporters that the states’ claims are without merit, insisting that any buyer of its assets would have to honor existing privacy protections, according to the Los Angeles Times.
What is likely to be contested in court
At the time of the initial reporting, a full copy of the complaint was not yet publicly available, and the attorney general’s press release did not spell out the specific remedies Bonta is seeking, Bloomberg Law noted. If the state ultimately proves violations of the CCPA or California’s Genetic Information Privacy Act, courts could impose civil penalties, order injunctive relief to prevent further disclosures, and require measures related to the deletion or destruction of improperly held genetic samples, legal analysts say, per reporting by Reuters.
What Californians can do now
While the legal fight ramps up, Bonta’s office has already laid out what affected customers can do immediately. The attorney general has advised 23andMe users of their rights under California law and published step-by-step instructions for permanently deleting accounts and requesting the destruction of stored biological samples. Those directions, along with links to the company’s account-deletion tools, are available in a consumer alert from the California Department of Justice.
