California Attorney General Rob Bonta sues Chrome Holding Co. (formerly 23andMe)
Bonta's office filed suit against Chrome Holding Co., the corporate entity formerly known as 23andMe, accusing the company of failing to implement adequate security controls for sensitive records and of misleading customers about the breach. The complaint alleges the company "collected genetic data about millions of people," then "failed to meet its obligation under California law to keep that information safe," and went on to assert that the company "lied to consumers about the severity of its 2023 data breach." Bonta's office used the word "disturbing" repeatedly, saying the sale of the stolen data on the dark web was "disturbing and incredibly dangerous" given the personal nature of the information.
How the 2023 breach unfolded: Golem, credential-stuffing, and DNA Relatives
The complaint recounts a 2023 intrusion in which a forum actor calling themselves "Golem" offered data allegedly from millions of 23andMe customers. Investigations later established the intruder directly breached about 14,000 accounts, but — because of 23andMe's DNA Relatives feature, which connects users who share DNA — the attacker was able to access the details of nearly 7 million customers. Regulators found that the initial account compromises stemmed from credential-stuffing attacks and that 23andMe failed to detect the intrusion for five months.
Legal and regulatory fallout: fines, settlements, and allegations of deception
The breach produced multiple enforcement and civil actions. The UK Information Commissioner fined the company £2.3 million ($3.09 million) in June 2025, a ruling that echoed U.S. findings by criticizing 23andMe for relying on inadequate password requirements, failing to detect the intrusion promptly, and not implementing measures to prevent bulk downloading of genetic data. Separately, 23andMe settled a class action lawsuit for $30 million in 2024.
Bonta's complaint goes further, alleging misleading public statements: that 23andMe told the public it "had not experienced a data security incident within its systems," downplayed the sensitivity of data from the DNA Relatives feature as "essentially public," and shifted blame to customers for credential reuse rather than acknowledging security shortfalls. The complaint also alleges the company negotiated with and paid a ransom to the threat actor to remove damaging online postings and to obtain information about multiple 23andMe security vulnerabilities — including vulnerabilities the threat actor exploited during the breach.
TTAM Research Institute, Anne Wojcicki, and the corporate handoff
TTAM Research Institute bought 23andMe's assets last year; the purchase of assets was completed on July 14, 2025. The nonprofit was founded and is led by Anne Wojcicki, who the complaint notes was 23andMe's CEO at the time of the breach and a co‑founder of the original company. TTAM promised to run 23andMe charitably, using its data to further medical research and education.
The publicly accessible operations of the consumer service have continued: 23andMe "continues to operate as it always did, taking customers' saliva samples and turning it into fun insights, such as what percentage of their makeup is Neanderthal, and whether their DNA makes them more or less likely to enjoy a scattering of cilantro on their food," the reporting notes. The Register contacted 23andMe's publicists and instead received a statement from the 23andMe Research Institute distancing itself from Chrome Holding Co. The institute said it is a "newly established independent nonprofit organization" not involved in the events described in the California complaint and that it is focused on nonprofit scientific and health research "with a strong commitment to privacy, ethics, transparency, and responsible data stewardship."
What this means for consumers, regulators, and security teams
- Consumers and the public: The complaint emphasizes that stolen records included "sensitive personal information, family histories, and health conditions," and that the data's sale on the dark web occurred "amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence," a context Bonta called "disturbing and incredibly dangerous."
- Regulators and plaintiffs: The case adds a California enforcement action to earlier civil settlements and the UK Information Commissioner's fine, framing both data‑security practices and post‑breach communications as grounds for legal accountability.
- Security teams and technologists: The sequence — credential stuffing on ∼14,000 accounts, five months undetected, and a feature that allowed expansion to nearly 7 million profiles — highlights the interplay of authentication controls, detection timelines, and feature design in amplifying harm from a targeted intrusion.
Bonta's lawsuit places the contested events squarely in state court and frames both technical deficits and public statements as actionable under California law. The filing raises immediate legal stakes for Chrome Holding Co. and keeps scrutiny focused on how genetic‑data services manage both sensitive datasets and the messages they send users after a compromise. The complaint leaves open how a court will weigh those allegations; for now, the state attorney general has made clear he will seek to hold the company accountable.




