23andMe Secretly Paid the Hackers Who Stole Your DNA and Lied About It. California Just Sued

California Attorney General Rob Bonta sued Chrome Holding Co., the company formerly known as 23andMe, on May 28, 2026, for failing to protect the genetic and personal data of nearly 7 million people in a 2023 breach.^[1] The complaint, filed in San Francisco Superior Court, alleges that 23andMe paid a secret ransom to the hackers, misled the public about the severity of the incident, and ignored known security vulnerabilities for months.^[2]

If you ever had a 23andMe account, the exposed data likely included your DNA, health predispositions, family histories, and ethnicity. The company declared bankruptcy in March 2025 and now operates under a new name. A class action settlement worth up to $50 million received final court approval in January 2026.

Most deadlines to file claims have already passed, but if you submitted a claim and received a deficiency notice, you have until June 12 to resolve it.

Here's why DNA data exposure is a fundamentally different kind of breach, and what to do if your data was part of this one.

How 23andMe lost nearly 7 million people's genetic data

The 23andMe data breach began in 2023 when a threat actor used a technique called credential stuffing to break into around 14,000 accounts. Credential stuffing works by taking usernames and passwords stolen from one platform and trying them on others, relying on the fact that many people reuse the same login across platforms. In fact, All About Cookies found that 59% of people reuse compromised passwords.

23andMe made that strategy easy to execute. The company had actively encouraged its users to create accounts on MyHeritage, a genealogy partner site that had suffered its own well-publicized breach. Despite knowing about that breach, 23andMe never checked for credential overlap or blocked reused passwords, according to California AG Rob Bonta's complaint.

Breaking into 14,000 accounts was only the start. A coding error in 23andMe's DNA Relatives feature, which let customers connect with genetic matches, allowed the attacker to send doctored queries to the company's database and pull data from millions more accounts. That's how a breach of 14,000 turned into nearly 7 million.

The attacker operated inside 23andMe's systems for five months without detection. 23andMe only began investigating after the stolen data surfaced on a dark web forum in October 2023, when the threat actor simultaneously demanded a ransom. According to Bonta's complaint, the company paid the ransom and never disclosed it. While negotiating in private, it continued telling customers there had been no breach of its internal systems.

The stolen data the attacker listed for sale specifically called out profiles belonging to Asian American and Pacific Islander and Jewish users. This happened during a documented period of rising anti-AAPI and antisemitic hate and violence. "23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach," Bonta said.

The lawsuit alleges violations of California's Genetic Information Privacy Act, the California Consumer Privacy Act, and three additional state consumer protection laws. 23andMe filed for Chapter 11 bankruptcy in March 2025. Its assets now sit with a newly formed nonprofit called the 23andMe Research Institute, which says it has no involvement in the current lawsuit. A separate AG challenge is also pending in the U.S. Bankruptcy Court over the sale of Californians' genetic data in the bankruptcy proceedings.

Why a DNA breach hits differently

Most people treat data breach news as background noise. An All About Cookies survey found that 50% of Americans feel desensitized to the idea of their data being included in a breach, and fewer than half — just 46% — actually check whether their information was affected when they hear about one. The reason this breach warrants closer attention is what was stolen: your DNA.

When a hacker steals your credit card number, you cancel the card. When someone gets your Social Security number, recovery is painful but possible. When someone steals your DNA, there is no way to reverse that process. Your genome doesn't expire or reset.

The 23andMe breach exposed far more than login credentials. The data included genetic health predispositions, ancestry composition, ethnic breakdowns, and family relationship data — including connections to biological relatives who never signed up for 23andMe or consented to having their family ties cataloged.

California recognized this specific risk when it passed the Genetic Information Privacy Act, one of the laws at the center of the AG's lawsuit. The law exists because genetic data warrants a higher standard of protection than other personal information. The AG's complaint argues that 23andMe's actual security practices fell far below that standard.

The bankruptcy context makes this harder to dismiss. Whatever privacy promises 23andMe made when you signed up, those promises belonged to a company that no longer exists in its original form. What the 23andMe Research Institute does with the data it inherited remains legally uncertain — a point the FTC Chairman raised directly in a letter to the U.S. Trustee during the bankruptcy proceedings in March 2025.

What to do if you’ve had a 23andMe account

1. Delete your 23andMe account and data. The platform still allows permanent deletion of your data and destruction of your stored DNA sample. Our guide on how to delete your 23andMe data walks through the full process in order, including how to revoke research consent and destroy your sample before closing the account.
   
   

   

2. Sign up for identity theft protection. The data exposed in this breach can support targeted phishing, financial fraud, and, in some cases, insurance or employment discrimination. Identity theft protection services monitor for unauthorized use of your personal information and alert you when something flags.
3. Consider a data removal service. Data stolen in large breaches often circulates among data brokers, who buy and resell personal information in bulk. A data removal service sends systematic removal requests to those databases on your behalf, limiting how widely your information spreads after a breach.
4. Watch for 23andMe-specific phishing. Scammers take advantage of high-profile breach stories by sending fake settlement notices or urgent "account security" emails using the 23andMe name. Do not click links in unsolicited emails about the breach or settlement. Go directly to 23andmedatasettlement.com to check your status.
5. Reset any reused passwords. If you used the same email and password on 23andMe as on other accounts, update those credentials now and use a unique password for each account going forward.

Bottom line

California's attorney general sued Chrome Holding Co., formerly 23andMe, over a 2023 breach that exposed the genetic data of nearly 7 million people. The company allegedly paid a secret ransom and misled consumers, then went bankrupt. "If you have a 23andMe account, delete your data now, set up identity theft monitoring, and check whether you have a settlement deficiency notice that needs to be resolved by June 12.