The Company Collected Your DNA and Left the Door Wide Open

This isn't a story about sophisticated hackers outsmarting a cutting-edge tech company. It's a story about a company that collected some of the most sensitive personal data on earth — your DNA, your health risks, your biological relatives — and couldn't be bothered to do basic security hygiene.

California Attorney General Rob Bonta filed a lawsuit Thursday in San Francisco Superior Court against Chrome Holding Co., formerly known as 23andMe, over a 2023 data breach that compromised the genetic and personal data of nearly 7 million users, including 855,541 Californians, according to the official complaint from the California Department of Justice.

How It Happened: The Laziest Attack in Cybersecurity

The method hackers used is called credential stuffing. It's not some exotic technique — it's essentially trying username and password combinations stolen in other breaches until something works. Script-kiddie territory.

According to Engadget, the attackers used credentials from a previous breach at MyHeritage — another genealogy site. 23andMe had a partnership with MyHeritage and actively encouraged its own users to sign up for MyHeritage accounts. The company knew about the MyHeritage breach. It never checked whether its users had reused those compromised credentials. It never blocked the obvious attack vector it helped create.

Initial credential stuffing broke into roughly 14,000 accounts. Then the attackers exploited a vulnerability in 23andMe's DNA Relatives feature — a tool designed to connect users with genetic relatives — to pivot and scrape data from millions more. One entry point, millions of victims.

Five Months. Nobody Noticed.

According to CNET, the attackers operated inside 23andMe's systems for over five months without detection. The company only started investigating after the hackers had already begun selling the stolen data on the dark web — and had reached out directly to 23andMe demanding a ransom.

The company didn't catch the breach. The dark web did.

Bonta's office confirmed this timeline in the official press release, stating that 23andMe "failed to properly investigate or respond to numerous warnings that its systems had been compromised."

The Cover-Up Is As Bad As the Crime

After the breach went public in October 2023, 23andMe didn't come clean. According to Engadget, the company downplayed the sensitivity of the stolen data and described its DNA Relatives feature as "essentially public" — apparently to minimize liability.

Meanwhile, the company was engaged in secret negotiations with the hackers who were ransoming the data back.

The attackers weren't shy about what made this data valuable. They specifically called out that the stolen dataset included information on Asian American and Pacific Islander users and Jewish users with Ashkenazi ancestry. More than 1 million such users had their data posted for sale on the dark web, according to CNET.

Bonta said the breach "took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence." Genetic data tied to ethnicity, sold to anonymous buyers on the dark web, during a spike in hate crimes. The danger is specific and serious.

What This Actually Is

23andMe isn't just some retailer that lost credit card numbers. This company stored raw DNA sequences — biological data that cannot be changed, cannot be reissued, and can be used to identify not just you but your blood relatives who never consented to share their data. Your cousin's DNA is partially your DNA. The people harmed here extend far beyond the 7 million account holders.

The company filed for bankruptcy in 2025, according to CNET, which means whatever assets remain are now called Chrome Holding Co. Bonta is suing the successor entity — but whether there's money to collect remains unclear.

The fundamental problem: 23andMe built a consumer product around permanently sensitive, deeply personal biological data — and apparently treated cybersecurity as an afterthought. The credential stuffing attack that started this whole disaster is one of the first threats in Security 101. This isn't a case of state-sponsored hackers breaking through sophisticated defenses. This is a company that left its front door unlocked.

What This Means for Regular People

If you used 23andMe, your genetic data may already be in someone else's hands. There is no patch for that. You can change your password. You cannot change your DNA.

This lawsuit is about accountability after the fact — but the lesson going forward is clear: any company that collects genetic data should be held to the highest security standards, not the lowest. If you can't protect it, you shouldn't be allowed to collect it.

Bonta is right to sue. The question now is whether there's enough left of this company to make it matter.