California sued 23andMe, alleging lax data security that failed to protect sensitive user data in a 2023 breach affecting nearly 7 million users. Attorney General Rob Bonta’s lawsuit targets Chrome Holding Co., the company under which 23andMe rebranded after bankruptcy. The state says the breach involved “credential stuffing,” leveraging compromised login credentials, and that 23andMe did not adopt common safeguards such as password reset requirements or multifactor authentication after learning of prior industry breaches. Bonta’s complaint seeks civil penalties and injunctions prohibiting further violations of California privacy protection laws. The filing describes prolonged exposure: prosecutors say the threat actor operated undetected for over five months and that 23andMe began investigating only after data appeared for sale on the dark web and reached out for a ransom. For universities and research partners, the case reinforces the compliance and governance stakes for any institution handling regulated or highly sensitive personal data, including genomic and health-adjacent information.