5 days ago
Rob Bonta accused nan company, now called Chrome Holding Co., of failing to protect users’ delicate information.
bluestork/Shutterstock
Chrome Holding Co., nan institution formerly known as 23andMe, is facing a suit revenge by California Attorney General Rob Bonta complete a massive information breach successful 2023 that compromised millions of people's delicate data. Bonta is accusing nan institution of misleading customers and failing to protect their "sensitive individual accusation and familial information related to their health, familial predispositions and consequence factors, biologic relatives, ancestry and ethnicity." The incident had affected 7 cardinal users crossed nan US, nan suit said, 855,541 whom were California residents.
23andMe, which offered customers DNA testing kits truthful they tin find retired their ancestral origins and familial wellness risks, admitted backmost successful 2023 that bad actors were capable to entree users' accounts done credential stuffing. Bonta based on that companies, particularly 1 that collects familial data, should cognize to defender against specified a communal method of cyberattack.
In 23andMe's case, nan hacker apparently utilized credentials stolen successful erstwhile information breaches, including from an onslaught connected MyHeritage, different genealogy website that 23andMe worked with. Bonta says that moreover though 23andMe was alert of nan breach connected MyHeritage, it ne'er checked aliases prevented users from reusing their credentials. That's peculiarly noteworthy, because 23andMe allegedly encouraged its users to motion up for a MyHeritage account, arsenic well.
It wasn't conscionable credential stuffing that allowed nan bad actors to bargain millions of backstage information. After utilizing nan onslaught method to break into 14,000 accounts, they past exploited a vulnerability successful nan website's DNA Relatives characteristic to entree information from much customers. Bonta said nan company's information measures were truthful lax, nan hackers were capable to run undetected wrong its strategy for 5 months. He added that nan institution only started investigating aft nan bad actors had already started trading stolen personification information connected nan acheronian web and demanding a ransom.
Bonta accused 23andMe of omitting captious accusation erstwhile it informed customers astir the breach. He said nan institution downplayed nan sensitivity of nan stolen information and claimed that nan DNA Relatives characteristic was "essentially public," each while it was secretly negotiating pinch nan bad actors who were highlighting nan inclusion of accusation astir Asian American and Pacific Islanders, arsenic good arsenic Jewish users, successful nan dataset they were selling.
"The waste of this information connected nan acheronian web took spot amidst a play of mounting anti-Asian American and Pacific Islander and antisemitic dislike and unit — and explicitly called attraction to nan profoundly individual and identifying quality of that information," Bonta wrote. "This is disturbing and incredibly dangerous."
23andMe filed for bankruptcy successful March 2025. As AP notes, it besides faced a class-action suit that accused nan institution of failing to protect its customers, and a judge overseeing its bankruptcy had approved a $50 cardinal colony earlier this year.
