23andMe customers in dozens of states will get paid after $150M data breach settlement

0
23andMe customers in dozens of states will get paid after $150M data breach settlement

Attorneys general from 41 states and the District of Columbia reached a $150 million settlement with at-home DNA testing company 23andMe over claims it failed to prevent a data breach affecting millions of customers. Once legal fees are covered, customers whose most sensitive personal information are in line to receive a payout.

Several attorneys general filed an objection to the company’s bankruptcy case in 2025 after a multi-state investigation led by Connecticut Attorney General William Tong revealed 23andMe “engaged in unreasonable data security practices,” according to a Tuesday release from Tong’s office. The investigation initially started in October 2023 after a hacker posted sample data online that included people with Chinese and Ashkenazi Jewish heritages.

“23andMe collected the most sensitive genetic data imaginable from millions of Americans, and they failed to safeguard that data,” Tong said in the Tuesday release.

The DNA company filed for bankruptcy protection in March 2025. It was later sold to a nonprofit that the company’s founder, Anne Wojcicki, formed. 

According to court documents, the immediate relief available to states is $18 million. Payout amounts depend on claims attorneys general made, with the highest at $1.3 million from Texas and the lowest at $149,339 from South Dakota. States that didn’t file a claim included Hawaii, Mississippi, Missouri, Montana, Nebraska, Nevada, Rhode Island and Wyoming. 

California is excluded from the settlement because it has an ongoing civil lawsuit against 23andMe over the data breach. A bankruptcy judge additionally barred California on July 10 from pursuing monetary relief, but allowed the state to seek out other remedies, Reuters reported.

Since the breach, 23andMe has required users to enroll in two-step verification and allowed only a small number of employees to access people’s DNA, among other changes.

Separate class-action lawsuit settled

Tong added that the DNA company reached a settlement to end a $46.75 million class-action lawsuit in Missouri. Part of the agreement required the company to pay out claims to the affected 6.4 million U.S. residents, Quartz reported on July 9.

People who were affected by the breach had until Feb. 17 to submit a claim for damages. About $14.29 million of that settlement has been paid out. More distributions are coming.

A group of lawyers filed the lawsuit on behalf of people whose data was exposed in the breach in June of 2024. The settlement resolved claims that 23andMe didn’t safeguard users’ private information, including genetic data. 

Credential stuffing revealed security flaws

23andMe filed for bankruptcy in March 2025, nearly two years after a hacker acquired access to 14,000 accounts holding 6.9 million people’s genetic information worldwide, according to The HIPAA Journal in 2023. The person accessed the accounts through credential stuffing, the practice of using exposed data in one breach to access accounts on another platform.

The exposure reached more people since 23andMe’s DNA Relatives feature allows people to share information with genetic matches. What was exposed depended on a user’s settings, but generally included display names. Severe cases of the breach included people’s birth years, locations and relationship labels.

Company scrutiny increased after 23andMe denied the breach occurred and then blamed customers for not securing their accounts, according to a release from Tong’s office.

The data breach sparked an international investigation into the direct-to-consumer genetic companies, which revealed 23andMe had inadequate security practices, according to a release from Canada’s Privacy Commissioner. The United Kingdom government fined 23andMe £2.31 million ($3.12 USD) in 2025.

“Many of these deficiencies stemmed primarily from the fact that 23andMe did not develop appropriate safeguards to prevent credential stuffing, which is a common form of attack,” according to the report.


Round out your reading

Ella Rae Greene, Editor In Chief

Leave a Reply

Your email address will not be published. Required fields are marked *