California Attorney General Rob Bonta has initiated legal action against Chrome Holding Co., previously known as 23andMe, regarding a significant data breach that impacted 7 million individuals in 2023. The lawsuit alleges that the company failed to adequately protect sensitive information, including genetic data and health-related details, leading to accusations of misleading its customers.
Bonta highlights that over 855,541 of the affected users reside in California. The breach reportedly allowed unauthorized access to user accounts through a method known as credential stuffing, with hackers utilizing stolen credentials from past incidents, including a breach at MyHeritage. Despite being aware of this vulnerability, the company allegedly did not take appropriate steps to safeguard its users.
Moreover, the lawsuit claims that the attackers exploited a flaw in the DNA Relatives feature, allowing them to breach an additional 14,000 accounts. Bonta criticized the company's security practices, stating that the hackers went undetected for five months, during which they began selling stolen data on the dark web and demanding ransom. The suit also asserts that 23andMe downplayed the seriousness of the breach when communicating with its customers.