California AG Sues Chrome Holding Co. (Formerly 23andMe) For Five Months Of Undetected Credential Stuffing. MyHeritage Passwords They Already Knew Were Compromised. Seven Million Records Stolen.

California Attorney General Rob Bonta filed suit on May 28, 2026 against Chrome Holding Co., the corporate entity formerly known as 23andMe, alleging that the company's 2023 data breach was the result of basic, well-known security failures that the company explicitly knew about and chose not to address. The complaint alleges violations of the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California False Advertising Law, the Unfair Competition Law, and the California Consumer Privacy Act. The lawsuit is separate from the AG's ongoing bankruptcy-court challenge over the sale of Californians' genetic information out of the Chrome Holding Co. bankruptcy estate.

The complaint is a comprehensive read. Some details land harder than others. Read the AG's full press release. Read the AP coverage at the Washington Post. Read DataBreaches.net's writeup. What we are doing in this post is putting the 23andMe breach receipt next to the defender-asymmetry frame we have been writing for two months. The 23andMe breach is what happens when the defender side of the cost curve refuses to spend the pennies it would take to detect a credential-stuffing attack that uses passwords already known to be in adversary hands.

The receipt in seven facts

The California AG's complaint and the company's own post-breach admissions establish the following sequence:

1. The threat actor had access for five months undetected. From April 2023 through October 2023, an adversary operated inside 23andMe's systems. The company did not begin investigating until the threat actor offered the stolen data for sale on the dark web and contacted 23andMe directly to demand a ransom. The detection happened because the attacker chose to make it happen, not because 23andMe's defender stack noticed.

1. The attack vector was credential stuffing using known-compromised passwords from the prior MyHeritage breach. 23andMe knew about the MyHeritage breach. 23andMe had partnered with MyHeritage. 23andMe had encouraged its users to create MyHeritage accounts. 23andMe never checked for credential reuse. The attacker logged in with 14,000 user account credentials that were demonstrably circulating in adversary-accessible breach databases.

1. A coding error in the "DNA Relatives" feature let the attacker reach 7 million customer records from the 14,000 compromised accounts. Once authenticated as a single user, the attacker could query the DNA-Relatives graph and retrieve sensitive identifying information, ancestry reports, and genetic-relationship percentages for that user's matched relatives. The 14,000-to-7-million amplification ratio is the cost of the coding error.

1. 855,541 of the affected customers were Californians. That number is the basis for California's standing to pursue the case under state privacy and consumer-protection law. It is also a small fraction of the 7 million total — the lawsuit's economic reach is much larger than the California-resident slice.

1. The dark-web sale of one million records specifically targeted Asian American and Pacific Islander and Jewish customers. The seller marketed the data by ethnicity. The sale occurred during a period of documented rising anti-AAPI and antisemitic violence. The genetic-data-tied-to-named-ethnic-group sale pattern is a category of harm that did not exist before consumer genetic-testing companies built the data corpus.

1. 23andMe paid a ransom and did not disclose it publicly at the time. Per the AG's complaint, the ransom negotiation included the attacker providing 23andMe with details of multiple additional security vulnerabilities that the attacker had exploited or could exploit. The ransom-for-vulnerability-disclosure exchange was itself a defender-asymmetry inversion in the wrong direction — the company paid the adversary for the security knowledge that the company's defender stack had failed to produce.

1. 23andMe's public statements after the breach were materially misleading. The AG alleges the company "publicly touted its commitment to data privacy and transparency" while internally negotiating ransom payment and failing to disclose the full scope of the breach. The False Advertising and Unfair Competition Law claims attach to those statements specifically.

What this breach looks like through the defender-asymmetry frame

The 23andMe breach is the cleanest possible illustration of the cost-curve inversion working in the wrong direction. The attacker's cost was negligible — credential-stuffing tooling is free, the MyHeritage credentials were already in dark-web inventory, and the DNA-Relatives query exploitation required no zero-day research. The defender's cost — implementing credential-reuse detection, monitoring for anomalous login geography from a single account, rate-limiting suspicious authentication patterns, auditing the DNA-Relatives endpoint for query-amplification potential — is similarly trivial at the technical level. The cost gap that produced the breach was not technical. It was organizational.

23andMe had the MyHeritage breach information. 23andMe had a defender team. 23andMe had a publicly-stated commitment to "industry-leading" data security. The five-month detection gap was a function of nobody at 23andMe choosing to operationalize the credential-reuse-detection capability that the MyHeritage breach made obvious was necessary. Credential stuffing has been a top-three web-attack class on the OWASP list for over a decade. Anti-credential-stuffing controls — rate limits, suspicious-pattern detection, CAPTCHA on retry, password-breach-database integration — are available in every commodity WAF and authentication-platform product on the market. 23andMe's failure was not the absence of available defenses. It was the absence of the operational discipline to deploy them.

The defender-side cost of catching this attack on day one rather than month five was a five-figure annual line item against an auth platform. The cost of not catching it is now, per the AG's complaint, "civil penalties" plus injunctive relief plus the reputational damage of the lawsuit itself plus the bankruptcy-precipitating revenue collapse that triggered the Chrome Holding Co. rebrand. The asymmetry is real, the asymmetry is documented, and the asymmetry could have been inverted at every step.

The CTI-industry preview

For the broader threat-intelligence community, the 23andMe receipt is the same shape as the receipts we have been writing all month under the predictive-kill-chain frame. The MyHeritage credentials were known to the CTI industry. Have I Been Pwned indexed them. Breach-monitoring services flagged them. Credential-reuse detection tooling was available at commodity-SaaS pricing. Any defender posture that consumed a public credential-breach feed and integrated it with the authentication layer would have caught the 23andMe attack pattern at the first login attempt rather than at month five.

The 23andMe defender stack did not consume that feed in any operationally meaningful way. The receipt is the absence. Whatever budget 23andMe allocated to "data security" between 2018 and 2023 did not include the line item for the most common web-tier attack class against an account-based service. That is the cost-curve story under the breach. The technology was available. The integration was a Tuesday afternoon of engineering work. The organizational priority was absent.

The genetic-data privacy frame

The 23andMe breach class is qualitatively different from a typical 7-million-record consumer breach because the data class includes genetic information, family-relationship maps, ancestry composition, and health-predisposition reports. The California AG's complaint cites the California Genetic Information Privacy Act specifically — a 2021 statute that establishes heightened legal duties for companies handling consumer genetic data. The AG's framing is correct on the statute. The framing is also correct on the broader principle. Genetic data is non-revocable in a way that a leaked credit-card number is not. The 7 million customers whose ancestry and health-predisposition data was sold on the dark web cannot rotate their genome. The harm is durable in a way that defines the category.

The dark-web sale's explicit targeting of AAPI and Jewish customers makes the harm category sharper. The seller did not just leak data. The seller categorized the leaked data by ethnicity and offered it for sale to buyers who would, in the AG's framing, "weaponize" the targeting during a period of documented increasing anti-AAPI and antisemitic violence. This is what happens at the intersection of genetic-database aggregation and threat-actor monetization. The category of harm is new. The defender practices needed to prevent it are not — they are the same credential-stuffing-and-coding-error defenses that exist in every other web-tier vertical, applied to a data corpus that requires heightened diligence by statute and by ethical principle.

What this means for defenders watching the bankruptcy unfold

Chrome Holding Co., as the post-bankruptcy entity holding the 23andMe data assets, is now in active litigation with the California AG. The lawsuit will play out over the next eighteen-to-thirty-six months. The bankruptcy-court challenge over the sale of Californians' genetic information is separate and ongoing. The likely outcomes range from a settlement that includes data-handling injunctions and civil penalties through to a forced divestiture of the genetic data corpus to a successor entity with mandated security postures.

For defenders running consumer-data infrastructure of any kind — not just genetic — the 23andMe litigation is a precedent worth watching. The legal theory the AG is advancing is that publicly-stated security commitments combined with operationally-absent security practices constitute false advertising actionable under California law. Other state AGs will read this complaint. The precedent shape is broad. Any company with a security-page that promises more than the operational practice delivers is now reading the same complaint and recalculating exposure.

The defender posture that follows is the posture we have been writing for two months. Operationalize what you publish. Integrate the credential-breach feeds that already exist. Audit the authentication layer for the most-common attack class against your account base. Treat genetic data, health data, and biometric data as crown-jewel paths with crown-jewel diligence. The cost of doing the work is below the cost of not doing it. The 23andMe receipt is the proof.

The receipts compound

The threat intelligence in this post — and the underlying IOCs, breach-monitoring receipts, and credential-feed integrations that would have caught the 23andMe credential-stuffing attack on day one — all ship out through DugganUSA's public STIX 2.1 threat-intelligence feed. Free. No credit card. Machine-consumable. Registration takes thirty seconds at [analytics.dugganusa.com/stix/register](https://analytics.dugganusa.com/stix/register).

Yesterday we documented that customers consuming our feed had visibility on the BlueHammer Microsoft Defender CVE for forty days before Microsoft's MSRC blog officially acknowledged the cluster. The asymmetry inversion is real, it is dated, and it compounds for whoever subscribes. Single-digit-to-low-double-digit production CTI integrations are operationalized against the feed every month; the eleven-figure-cash-reserve vendor stack is two orders of magnitude slower at half the breadth.

The cheapest defender posture beats the most expensive defender brand. Subscribe. The receipts compound.

— Patrick Duggan · DugganUSA LLC

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com