Subscribe To Our Newsletter

This field is for validation purposes and should be left unchanged.

23andMe Agrees to Settlement Over Massive Genetic Data Breach

If you used the direct-to-consumer genetic testing service 23andMe, your highly sensitive ancestry records and personal details may have been exposed to cybercriminals. A bipartisan coalition of 42 state attorneys general has finalized an $18 million settlement with the bankruptcy trustee for 23andMe.

large-field-of-ripe-wheat-under-the-open-sky-on-a-2025-02-12-05-09-11-utc 1

The agreement resolves comprehensive state investigations into a massive 2023 data breach that compromised the private genetic data of 6.9 million customers worldwide, leaving subsets of their sensitive personal information floating on the dark web.

Why 42 State Attorneys General Took Legal Action Against 23andMe

The national legal action stems from a major security incident first disclosed in October 2023. Bipartisan state regulators launched an immediate investigation to hold the company accountable. They uncovered a series of critical security failures that left millions of genetic profiles open to automated hacker attacks.

According to state investigators, cybercriminals targeted the platform using “credential stuffing.” In these attacks, hackers run automated programs to plug in lists of usernames and passwords stolen from previous data breaches on unrelated websites. Because many everyday people reuse their passwords across multiple online accounts, the attackers easily broke into a substantial number of 23andMe user profiles.

The consequences of this security failure were amplified by a core design feature of the platform. Because 23andMe allowed customers to link their accounts to find relatives through its optional DNA Relatives feature, hackers who breached a single profile instantly gained access to the private ancestral networks of millions of other linked family members.

Wisconsin to Receive $275,000 in 23andMe Data Breach Settlement

Wisconsin will receive more than $275,000 through a multistate settlement with genetic-testing company 23andMe following its 2023 data breach.

The breach exposed personal information—and, for some users, genetic ancestry data—belonging to 6.9 million customers worldwide, including more than 78,000 Wisconsin residents. Some stolen information was later offered for sale on the dark web.

Affected customers will not receive payments from Wisconsin’s settlement funds. Individual compensation is being handled separately through a national class-action settlement.

Iowa to Receive $429,767 in 23andMe Data Breach Settlement

Iowa will receive $429,767 from an $18 million multistate settlement resolving allegations that genetic-testing company 23andMe failed to adequately protect customers’ information during its 2023 data breach.

Pennsylvania to Receive Nearly $492,000 in 23andMe Data Breach Settlement

Pennsylvania will receive $491,902 from an $18 million multistate settlement involving 23andMe. The settlement resolves allegations that the genetic-testing company failed to adequately protect customers during a 2023 data breach that exposed personal and genetic information belonging to 6.9 million people worldwide, including 192,093 Pennsylvania residents.

Security Practices Called Out as Egregious by State Investigators

The state investigators discovered that 23andMe utilized highly deficient data security practices that failed to meet basic industry standards. In public statements, state officials characterized the company’s security oversights as particularly egregious because corporate leaders had been warned of these exact vulnerabilities.

The investigation revealed that 23andMe maintained a direct business partnership with the genealogy website MyHeritage, which had suffered its own severe data breach years prior. Despite knowing that thousands of user credentials shared between the two websites were actively circulating among criminal networks, 23andMe failed to implement proper safeguards.

State authorities documented numerous critical failures, noting that 23andMe failed to employ safeguards against credential stuffing, failed to compare user passwords against known blocklists of leaked credentials, and failed to require multifactor authentication (MFA). Furthermore, investigators found the company did not implement basic rate limiting to block automated brute-force attempts and lacked proper security logging and monitoring tools to detect the ongoing breach.

Company Initially Blamed Customers for Stolen Genetic Profiles

State regulators expressed deep concern not only over the cyberattack itself, but also over how 23andMe handled the immediate aftermath of the security gap. According to investigators, 23andMe did not discover that its customer files had been accessed until months after the stolen personal details had already been posted for sale on the dark web.

When the breach was first uncovered, 23andMe initially denied that any data security incident had occurred. Once the company was forced to confirm the security failure, it initially declined to accept responsibility. Instead, 23andMe pointed fingers at its own customers, legally arguing that the breach was the direct fault of users who reused their passwords and failed to properly secure their individual accounts.

“Marylanders trusted 23andMe to protect their personal data, including highly sensitive genetic data and ancestry information. 23andMe failed to safeguard it and then blamed its customers,” Maryland Attorney General Anthony G. Brown said in a statement. “Through this settlement, we were able to ensure that Marylanders’ genetic information is properly protected going forward.”

How the $18 Million Bankruptcy Settlement Is Distributed Across States

In March 2025, facing severe financial distress, mounting litigation, and falling revenues, 23andMe filed for Chapter 11 bankruptcy protection. Because companies in bankruptcy have limited remaining capital to pay off their liabilities, the coalition of 42 state attorneys general had to aggressively file claims in the bankruptcy court to ensure states could penalize the company.

While the state coalition successfully negotiated $150 million in allowed claims within the bankruptcy case, the finite amount of cash left in 23andMe’s bankruptcy estate meant that the immediate cash recovery had to be capped at $18 million. This sum will be distributed to the participating states immediately to resolve the regulatory investigations.

The $18 million is being divided among the 42 states based on the proportion of affected residents in each jurisdiction. For example, Pennsylvania will receive $491,902 to account for nearly 200,000 affected residents, Georgia is set to receive $452,232, and Colorado will receive $394,324. While these funds do not go directly to consumers, they are legally designated to cover state investigation costs, consumer protection enforcement, and future data privacy initiatives.

Consumers Previously Had to Meet a Separate February 17 Deadline

If you are a consumer seeking direct cash compensation for out-of-pocket losses or identity theft protection, you should know that this regulatory settlement is separate from the consumer class action lawsuit. During the bankruptcy proceedings, 23andMe also agreed to a separate $46.75 million class action settlement to provide direct relief to affected U.S. consumers.

This consumer class action fund was established to pay out cash claims and provide credit monitoring to eligible class members who suffered documented financial losses or lost time due to the breach.

However, please be aware that the strict court-ordered deadline for everyday people to file a claim for a portion of the $46.75 million consumer fund was February 17, 2026. The settlement administrator is currently in the process of auditing and validating the claims submitted before that date, and payouts will be released once the bankruptcy court issues its final distribution orders.

Restructuring Under the New 23andMe Research Institute Custodian

During the bankruptcy proceedings, 23andMe’s assets—which notably include its highly valuable and private database of consumer genetic profiles—were sold to the TTAM Research Institute. This non-profit organization was founded by 23andMe’s co-founder and former CEO, Anne Wojcicki, and has since reregistered under the name 23andMe Research Institute.

Because the transfer of sensitive DNA profiles during a corporate bankruptcy can pose severe consumer privacy risks, a coalition of 28 state attorneys general actively intervened in the sales process. Their efforts ensured that the new non-profit entity cannot simply exploit or sell the data without restriction.

Under the court-approved terms of the asset sale, the 23andMe Research Institute is legally bound by strict data security and privacy mandates. The new custodian must perform ongoing information security risk analyses, establish an independent Advisory Board on data security, agree to be bound by comprehensive state privacy laws without exception, and continue to honor all consumer data deletion rights.

How to Permanently Erase Your Genetic Data Right Now

If you are a 23andMe customer and no longer feel comfortable allowing the company or its new non-profit successor to hold your highly personal DNA records, you have the legal right to completely purge your profile.

You can take direct steps online to permanently erase your personal files, but you must complete a critical verification step for the deletion to take effect. To erase your profile, follow this sequence:

  1. Go to 23andMe.com and sign in to your personal account.

  2. Click on your profile icon in the upper right-hand corner of the page and select “Settings” from the drop-down menu.

  3. Scroll down to the bottom of the page to the section labeled “23andMe Data” and click “View.”

  4. Click the red button to request permanent deletion of your data.

  5. Critical Verification Step: Check the email inbox associated with your account for a message from the company with the subject line “23andMe Delete Account Request.” You must open this email and click the confirmation link inside to finalize the deletion. Your genetic data and physical saliva samples will not be permanently deleted from their systems unless you complete this final email step.

Subscribe To Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This field is for validation purposes and should be left unchanged.
The Time for Action is Now!
Mass Arbitrations
Active Data Breaches
Date of Breach: July 13, 2026
Date of Breach: July 2, 2026
Date of Breach: Not Specified
Latest News