California AG sues former 23andMe (Chrome Holding Co.) over the 2023 genetic-data breach — bulk-enumeration coding error plus absent credential-stuffing defences

California Attorney General Rob Bonta announced suit against Chrome Holding Co. (formerly 23andMe) on 2026-05-28, filed in San Francisco Superior Court over the October 2023 breach affecting ~6.9 million users worldwide, including 855,541 Californians (California OAG, 2026-05-28; BleepingComputer, 2026-05-29). The complaint describes a two-stage failure: an actor compromised ~14,000 accounts via credential stuffing (reusing credentials from earlier breaches), then abused the DNA Relatives kinship-matching feature — which carried a coding error permitting bulk enumeration of matched records without per-record access checks — to reach data belonging to the remaining ~6.9 million. Alleged data classes include raw DNA, ancestry and genetic health-predisposition data and family connections. The AG additionally alleges the company ignored a July 2023 suspicious-login spike, made misleading public statements, and negotiated and paid a ransom for deletion of the leaked data — an unusual allegation to surface in a state-enforcement complaint (The Register, 2026-05-29).