Overview
- Attorney General Rob Bonta filed the complaint in San Francisco Superior Court on Thursday accusing Chrome Holding Co., the legal successor to 23andMe, of violating California privacy and consumer laws.
- The suit says hackers used credential-stuffing and a critical coding error in the company’s DNA Relatives feature to steal data tied to about 6.9 million users after operating inside systems for roughly five months in 2023.
- Bonta alleges the company ignored warnings, missed obvious signs of intrusion, negotiated with and paid the attacker, and gave misleading public statements that downplayed the breach.
- About one million records were offered for sale on the dark web and the seller highlighted data belonging to Asian American/Pacific Islander and Jewish users, which the complaint says raised risks of targeted harm.
- The enforcement action sits alongside bankruptcy-era settlements and an approved $30–50 million customer fund, and the complaint notes any monetary recovery could be affected by those prior bankruptcy proceedings.