Cybersecurity May 31, 2026 · 3 min read

California Sues 23andMe for Losing 6.9 Million People’s DNA — The Company Changed Its Name to ‘Chrome Holding Co.’ Which Is Exactly What an Innocent Company Would Do

🤚 The Open-Palm Subpoena

California Attorney General Rob Bonta has filed suit against 23andMe — or rather, against the corporate husk now operating under the magnificently dystopian name “Chrome Holding Co.” — over the 2023 data breach that exposed the genetic information of approximately 6.9 million customers, including 855,541 California residents.

The breach, which occurred via a credential-stuffing attack, compromised:

  • Genetic data and health predisposition information
  • Ancestry and ethnicity details
  • Biological relatives information
  • DNA matches — meaning the attackers didn’t just steal your data, they stole your family tree

The lawsuit cites violations of the California Genetic Information Privacy Act, the California Consumer Privacy Act (CCPA), the Reasonable Data Security Law, the False Advertising Law, and the Unfair Competition Law. That’s five separate statutes, which is the legal equivalent of being told you failed every subject and also set the school on fire.

👐 The Two-Handed Corporate Autopsy

The AG’s complaint paints a portrait of institutional negligence so thorough it almost looks intentional. According to the filing, 23andMe:

  • Failed to implement basic safeguards against credential-stuffing attacks — the cybersecurity equivalent of leaving your front door open and blaming the neighborhood
  • Missed multiple opportunities to detect the intrusion while it was happening
  • Failed to catch a coding error in the DNA Relatives feature that enabled broader data access
  • Made misleading statements before and after the breach — first claiming strong security standards, then blaming customers for reusing passwords

That last point deserves a moment of silence. A company that stores your literal DNA responded to a breach by suggesting that you should have been more careful with your login credentials. Your genetic code was exposed because their authentication was weaker than a hotel Wi-Fi password, and their official position was: have you tried not being hackable?

The statutory penalties sought range from $1,000 to $7,500 per violation. With 855,541 affected California residents, the math gets interesting — and by “interesting,” we mean somewhere between “$855 million” and “$6.4 billion,” which is coincidentally more than the company was ever worth.

🌿 The Gentle Awakening

The transformation of 23andMe into “Chrome Holding Co.” is a narrative arc that no satirist could improve upon. A company that once promised to democratize genetic knowledge — that ran Super Bowl ads about discovering your heritage, that made spit kits a holiday gift — is now a bankrupt shell corporation being sued by the state of California for losing control of the most intimate data a human being can produce.

The name change is the cherry on top. “Chrome Holding Co.” sounds like the kind of entity that appears on page 47 of a RICO indictment. It communicates nothing except the desire to communicate nothing. The company that knew your DNA now doesn’t even want you to know its name.

And somewhere in a bankruptcy proceeding, a judge is deliberating the “proposed sale of Californians’ genetic data and biological materials” — a sentence that sounds like it was written by a dystopian novelist who was told to tone it down.

👑 The Gold-Leaf Reckoning

This lawsuit matters beyond 23andMe because it establishes a principle that the tech industry has been hoping to avoid: genetic data is not just another data category. You can change your password. You can get a new credit card number. You can move to a new address. You cannot change your DNA. A breach of genetic information is, in the most literal sense possible, permanent.

The California AG’s decision to pursue five separate statutory violations signals that regulators are done treating genetic data companies like quirky startups that happen to store sensitive information. They are being treated like what they are: custodians of irreplaceable biological records who failed at the one job that justified their existence.

23andMe spent a decade convincing millions of people to mail their saliva to a startup. The startup went bankrupt. The data is now an asset in a bankruptcy proceeding. And the company’s final act was to rebrand as something that sounds like a villain’s holding company in a Bond film.

The spit kit was $99. The lesson was priceless.

“They stored your DNA, lost your DNA, blamed you for the loss of your DNA, went bankrupt, changed their name, and are now selling your DNA to the highest bidder in bankruptcy court. Other than that, the customer experience was excellent.” — The Slap of Wisdom Genomics Desk, currently shredding its own ancestry kit and considering a legal name change to ‘Chrome Holding Co. 2’