California sued 23andMe over alleged lax data security after a 2023 breach exposed sensitive information for nearly 7 million users. The complaint filed by Attorney General Rob Bonta targets Chrome Holding Co., the company’s entity following its bankruptcy filing last March. Prosecutors allege the breach resulted from credential-stuffing—using stolen login credentials—after 23andMe failed to implement protections such as password resets or multi-factor authentication following a known 2017 MyHeritage breach affecting account credentials. California seeks civil penalties and injunctions restricting future violations of state privacy laws. The case escalates scrutiny around data governance for direct-to-consumer health-related platforms, with implications for how universities and researchers assess compliance requirements when working with sensitive, personal datasets.