23andMe Agrees to $18M Settlement

23andMe Agrees to $18M Settlement With 43 States Over 2023 Data Breach

23andMe Agrees to $18M Settlement With 43 States Over 2023 Data Breach

23andMe has agreed to pay 43 U.S. states over its 2023 breach. Image: Rawpixel/Envato

23andMe will pay $18 million to settle claims from 43 states over its 2023 data breach, which exposed genetic information tied to nearly 7 million people.

Jul 17, 2026

An $18 million settlement is the latest consequence of 23andMe’s 2023 data breach—and a reminder that some stolen information can never be replaced.

The genetic testing company has agreed to settle allegations brought by attorneys general from 43 states, who argued stronger security measures could have limited the impact of an attack that ultimately exposed data tied to nearly 7 million people.

The agreement follows an investigation by more than 40 state attorneys general into the company’s handling of the 2023 breach, which attackers carried out using credential stuffing rather than a direct compromise of 23andMe’s systems. Regulators argued that stronger account protections and security controls could have reduced the impact of the attack.

Although only thousands of customer accounts were accessed, attackers leveraged the company’s DNA Relatives feature to collect data from millions of genetically connected users. The case’s impact is significant, not just because of the numbers, but because genetic data is impossible to change.

Details of the settlement

BleepingComputer reports that 43 state attorneys general accused 23andMe of failing to adequately protect customers’ highly sensitive genetic and personal information after attackers exploited reused passwords to access user accounts back in 2023.

In a statement made on Tuesday, New York Attorney General Letitia James noted that “23andMe put millions of its customers at risk with its flimsy security measures.” James also confirmed that a multistate investigation was carried out, the results of which led to the lawsuit.

Rather than continue litigating those claims, 23andMe agreed to an $18 million settlement as part of its ongoing bankruptcy proceedings. The company also recently changed ownership and is now owned by TTAM Research Institute, a not-for-profit organization.

James’ statement also noted that New York’s share of the $18 million is $705,000, with 305,245 people in the state affected.

Must-read security coverage

How the 2023 breach affected millions

Although only about 14,000 customer accounts were directly accessed during the 2023 cyberattack, information linked to roughly 6.9 million people was ultimately exposed. The attackers achieved this through credential stuffing, using usernames and passwords obtained from unrelated data breaches to log into accounts where customers had reused the same credentials.

Once inside, the attackers abused the company’s optional DNA Relatives feature, which allows users to discover and connect with genetically related individuals. That enabled them to scrape profile and ancestry information linked to millions of additional users, expanding the breach far beyond the accounts that were initially compromised.

The exposed data varied by user but included information such as names, birth years, locations, ancestry reports, family surnames, relationship details, profile photos, and genetic match information, depending on what individuals had chosen to share through the platform.

Advertisement

Why this matters beyond a monetary settlement

Unlike passwords or payment cards, genetic information cannot simply be changed after it is exposed. It can reveal ancestry, biological relationships, and other deeply personal details that may remain relevant for a lifetime, making breaches involving DNA data particularly difficult to contain while opening up a wide range of potential misuse and abuse.

The settlement serves as a reminder that while breaches may be unavoidable, the personal information shared online should be weighed carefully—especially when it cannot be replaced.

The use of credential stuffing also highlights why readers should monitor for credential breaches using services like Have I Been Pwned, change their passwords, and set up multifactor authentication.

Also Read: The largest data breaches so far in 2026 and what they have in common.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.