23andMe will pay $18M to settle claims over massive data breach
The firm first blamed clients for how their accounts were set up.

Image by Shutterstock.
- 23andMe agreed to pay $18 million to settle claims over a 2023 data breach affecting 6.9 million users.
- A coalition of 43 attorneys general said 23andMe failed to protect users from stolen-password attacks and known security risks.
- The stolen data included names, birth dates, locations, ancestry details, health reports, profile images, race, and ethnicity.
- The settlement requires stronger cybersecurity checks, oversight by a security advisory board, and continued consumer data deletion rights.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Genetic testing company 23andMe and a coalition of 43 Attorneys General have agreed to settle a lawsuit over data security failures, leading to a massive data breach in October 2023.
Back in 2023, a hacker carried out a credential stuffing attack, gaining access to 23andMe’s IT systems.
The attacker stole the personal information of more than 6.9 million users, including full names, dates of birth, location data, relationship status, pedigree data, ancestry data, profile images, race, ethnicity, and health reports.
The company didn’t learn about the data breach until months later, when some of the exfiltrated data appeared on the dark web.
Initially, the company denied the breach, but later blamed clients for how their accounts were set up.
Following the incident, Attorney General Letitia James and a coalition of 42 state Attorneys General launched an investigation and determined that 23andMe failed to take critical security measures, such as implementing safeguards against attacks with stolen credentials, fixing known vulnerabilities, and properly reviewing and testing design features.
In March 2025, 23andMe filed for bankruptcy. Attorney General James and the coalition of Attorneys General sued the company to protect the personal genetic information of millions of Americans during its bankruptcy.
Due to the bankruptcy, all of 23andMe’s customer data was sold to TTAM Research, a non-profit formed by 23andMe’s founder and former CEO, Anne Wojcicki. TTAM Research now operates as the 23andMe Research Institute.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
According to court documents, 23andMe has promised to pay $18 million to settle allegations over its security practices leading up to the massive data breach.
In addition, the genetic testing company has to implement a comprehensive information security program and conduct regular cybersecurity risk assessments. An Advisory Board on data security has to be installed to oversee its processes.
Lastly, 23andMe has to continue offering consumers the right to delete their information at any time.
“Companies have a duty to protect their customers’ personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures,” Attorney General James said in a statement.
“New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet. As a result of our coalition’s action, 23andMe will pay for violating the law, and strict rules will be put in place to protect their customers,” she continued.