Industry - Data Breach
Executive Summary
Forty-three states reached an $18 million settlement with 23andMe's bankruptcy trustee over a 2023 data breach that exposed genetic ancestry and personal information of 6.9 million customers worldwide, with stolen data later sold on the dark web. Investigators found 23andMe used inadequate security practices and failed to protect against credential stuffing attacks, initially blaming customers' passwords before confirming the breach. A separate $46.75 million class-action settlement provides ...
What Happened
In October 2023, 23andMe disclosed a data breach affecting 6.9 million customers worldwide when hackers used credential stuffing attacks to access accounts. The stolen data included genetic ancestry information and personal details, which were subsequently sold on the dark web. Following a multistate investigation, 43 states reached an $18 million settlement with 23andMe's bankruptcy trustee in 2026, after the company filed for bankruptcy in March 2025. A separate $46.75 million class-action settlement was also reached to compensate affected U.S. consumers who filed claims by February 2026.
Who Is Affected
The breach impacted 6.9 million 23andMe customers globally, including nearly 14,000 Vermonters, 16,479 people in Delaware, and 94,298 people in Maryland. Affected individuals had their genetic ancestry data and personal information exposed, with some of this data later appearing for sale on the dark web. U.S. consumers who submitted claims by the February 2026 deadline are eligible for compensation through the class-action settlement.
Why It Matters
This case demonstrates that genetic information, which is permanent and uniquely identifying, requires stronger protection than conventional personal data. The breach prompted Vermont to pass a new Genetic Data Information Privacy Act, establishing a regulatory precedent for handling such sensitive biometric information. The settlement also shows that companies can be held accountable for data security failures even during bankruptcy proceedings, though the recovery amount was significantly reduced due to limited estate funds.
What You Should Do
If you are a 23andMe customer affected by the breach, check whether you filed a claim by the February 17, 2026 deadline for the class-action settlement. Review your 23andMe account settings and consider deleting your data if you no longer use the service. Use unique, strong passwords for all accounts containing sensitive information, and enable multi-factor authentication where available to protect against credential stuffing attacks.
Summary generated from verified sources and reviewed before publication. How we summarize.