An $18 million settlement is the latest consequence of 23andMe’s 2023 data breach—and a reminder that some stolen information can never be replaced.
The genetic testing company has agreed to settle allegations brought by attorneys general from 43 states, who argued stronger security measures could have limited the impact of an attack that ultimately exposed data tied to nearly 7 million people.
The agreement follows an investigation by more than 40 state attorneys general into the company’s handling of the 2023 breach, which attackers carried out using credential stuffing rather than a direct compromise of 23andMe’s systems. Regulators argued that stronger account protections and security controls could have reduced the impact of the attack.
Although only thousands of customer accounts were accessed, attackers leveraged the company’s DNA Relatives feature to collect data from millions of genetically connected users. The case’s impact is significant, not just because of the numbers, but because genetic data is impossible to change.
Details of the settlement
BleepingComputer reports that 43 state attorneys general accused 23andMe of failing to adequately protect customers’ highly sensitive genetic and personal information after attackers exploited reused passwords to access user accounts back in 2023.
In a statement made on Tuesday, New York Attorney General Letitia James noted that “23andMe put millions of its customers at risk with its flimsy security measures.” James also confirmed that a multistate investigation was carried out, the results of which led to the lawsuit.
Rather than continue litigating those claims, 23andMe agreed to an $18 million settlement as part of its ongoing bankruptcy proceedings. The company also recently changed ownership and is now owned by TTAM Research Institute, a not-for-profit organization.
James’ statement also noted that New York’s share of the $18 million is $705,000, with 305,245 people in the state affected.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
How the 2023 breach affected millions
Although only about 14,000 customer accounts were directly accessed during the 2023 cyberattack, information linked to roughly 6.9 million people was ultimately exposed. The attackers achieved this through credential stuffing, using usernames and passwords obtained from unrelated data breaches to log into accounts where customers had reused the same credentials.
Once inside, the attackers abused the company’s optional DNA Relatives feature, which allows users to discover and connect with genetically related individuals. That enabled them to scrape profile and ancestry information linked to millions of additional users, expanding the breach far beyond the accounts that were initially compromised.
The exposed data varied by user but included information such as names, birth years, locations, ancestry reports, family surnames, relationship details, profile photos, and genetic match information, depending on what individuals had chosen to share through the platform.
Why this matters beyond a monetary settlement
Unlike passwords or payment cards, genetic information cannot simply be changed after it is exposed. It can reveal ancestry, biological relationships, and other deeply personal details that may remain relevant for a lifetime, making breaches involving DNA data particularly difficult to contain while opening up a wide range of potential misuse and abuse.
The settlement serves as a reminder that while breaches may be unavoidable, the personal information shared online should be weighed carefully—especially when it cannot be replaced.
The use of credential stuffing also highlights why readers should monitor for credential breaches using services like Have I Been Pwned, change their passwords, and set up multifactor authentication.
Also Read: The largest data breaches so far in 2026 and what they have in common.