Chrome Holding Co., the corporate previously referred to as 23andMe, is dealing with a lawsuit filed by California Lawyer Basic Rob Bonta over an enormous safety breach in 2023 that compromised hundreds of thousands of individuals’s delicate information. Bonta is accusing the corporate of deceptive clients and failing to guard their “delicate private data and genetic information associated to their well being, genetic predispositions and danger elements, organic kinfolk, ancestry and ethnicity.” The incident had affected 7 million customers throughout the US, the lawsuit mentioned, 855,541 whom have been California residents.
23andMe, which supplied clients DNA testing kits to allow them to discover out their ancestral origins and genetic well being dangers, admitted again in 2023 that unhealthy actors have been in a position to entry customers’ accounts by way of credential stuffing. Bonta argued that corporations, particularly one which collects genetic information, ought to know to protect in opposition to such a typical technique of cyberattack.
In 23andMe’s case, the hacker apparently used credentials stolen in earlier information breaches, together with from an assault on MyHeritage, one other family tree web site that 23andMe labored with. Bonta says that despite the fact that 23andMe was conscious of the breach on MyHeritage, it by no means checked or prevented customers from reusing their credentials. That is notably noteworthy, as a result of 23andMe allegedly inspired its customers to enroll in a MyHeritage account, as effectively.
It wasn’t simply credential stuffing that allowed the unhealthy actors to steal hundreds of thousands of personal data. After utilizing the assault technique to interrupt into 14,000 accounts, they then exploited a vulnerability within the web site’s DNA Kinfolk characteristic to entry information from extra clients. Bonta mentioned the corporate’s safety measures have been so lax, the hackers have been in a position to function undetected inside its system for 5 months. He added that the corporate solely began investigating after the unhealthy actors had already began promoting stolen consumer information on the darkish internet and demanding a ransom.
Bonta accused 23andMe of omitting essential data when it knowledgeable clients concerning the breach. He mentioned the corporate downplayed the sensitivity of the stolen information and claimed that the DNA Kinfolk characteristic was “basically public,” all whereas it was secretly negotiating with the unhealthy actors who have been highlighting the inclusion of details about Asian American and Pacific Islanders, in addition to Jewish customers, within the dataset they have been promoting.
“The sale of this information on the darkish internet occurred amidst a interval of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly referred to as consideration to the deeply private and figuring out nature of that data,” Bonta wrote. “That is disturbing and extremely harmful.”
23andMe filed for chapter in March 2025. As AP notes, it additionally confronted a class-action lawsuit that accused the corporate of failing to guard its clients, and a decide overseeing its chapter had authorised a $50 million settlement earlier this 12 months.
