California AG sues former 23andMe (Chrome Holding Co.) over 2023 genetic-data breach

California Attorney General Rob Bonta announced suit against Chrome Holding Co. (formerly 23andMe) on 2026-05-28, filed in San Francisco Superior Court over the October 2023 breach affecting ~6.9 million users worldwide, including 855,541 Californians (California OAG, 2026-05-28; BleepingComputer, 2026-05-29). The complaint describes a two-stage failure: an actor compromised ~14,000 accounts via credential stuffing (reusing credentials from earlier breaches), then abused the DNA Relatives kinship-matching feature — which carried a coding error permitting bulk enumeration of matched records without per-record access checks — to reach data belonging to the remaining ~6.9 million. Alleged data classes include raw DNA, ancestry and genetic health-predisposition data and family connections. The AG additionally alleges the company ignored a July 2023 suspicious-login spike, made misleading public statements, and negotiated and paid a ransom for deletion of the leaked data — an unusual allegation to surface in a state-enforcement complaint (The Register, 2026-05-29).

Defender takeaway: This is the second jurisdiction to act after the UK ICO's 2025 fine over the same breach, and the failure pattern transfers directly to any operator of special-category-data registries (health, genetic, civil-registry): the breach scaled not through a software RCE but through (a) no breach-credential blocking / velocity checks on login, and (b) a social-graph / kinship feature that enumerated records without per-request authorization. Concrete controls: enforce MFA on all accounts holding special-category data; block known-breached credentials (e.g. HIBP range API) and rate-limit repeated login failures; impose bulk-export and per-request authorization checks on relationship/kinship/lookup endpoints so a single account cannot enumerate the population.