23andMe, the US genetic-testing company that told people where their ancestors came from, has agreed to pay $18 million to settle claims brought by a coalition of 43 state attorneys general, the officials who lead public prosecution in each US state. The settlement, announced on 14 July 2026 by New York Attorney General Letitia James, closes the investigation into the 2023 data breach that exposed the genetic information of 6.9 million customers.
Unlike a password, DNA cannot be changed once it is exposed. That is the backdrop to a case that took a company once valued at around $6 billion into bankruptcy and on to the sale of its customers' most intimate data.
The failure: the basics were missing
In October 2023, 23andMe announced it had discovered an intrusion affecting 6.9 million people, 305,245 of them in New York State alone. The attackers got in through credential stuffing, the automated use of millions of username-and-password pairs stolen in other breaches, betting that victims reuse the same password across sites. From there they harvested genetic ancestry information and even put it up for sale on the dark web, the part of the internet reachable only with special software and used for illicit trade.
The states' investigation found the company lacked critical security measures:
- It did not check passwords against lists of credentials already known to be compromised, nor require multi-factor authentication, a second confirmation step beyond the password.
- It did not limit the rate of login attempts, which would have stopped the automated attack.
- It had no logging or monitoring able to detect the breach, and it did not investigate a huge spike in login attempts.
"Companies have a duty to protect their customers' personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures," said Attorney General James. According to the same investigation, the company first denied the breach and, once it confirmed it, blamed customers for how they had set up their accounts and reused passwords.
From bankruptcy to the sale of the data
In March 2025, 23andMe filed for bankruptcy. In June, a coalition of attorneys general sued to protect customers' genetic information during the process, fearing the data would change hands without safeguards. That nearly happened: the assets ended up sold to TTAM Research, a non-profit set up by 23andMe co-founder and former chief executive Anne Wojcicki, since renamed the 23andMe Research Institute.
The settlement imposes a set of security obligations on that new owner: risk analysis, a dedicated advisory board on data protection, and a guarantee that customers can still delete their information. New York's share is more than $705,000. The amount recovered was capped at $18 million because the money left in the bankruptcy estate is finite and many other claims are waiting, a modest sum against the nearly seven million people affected.
Not the first bill to pay
This is not the only invoice from the 2023 breach. According to trade press, 23andMe had already agreed, in September 2024, to a $30 million class-action settlement, and in June 2025 it was fined £2.31 million, about $3.1 million, by the UK's data regulator. The pattern is of a company paying, in instalments, the price of failing to guard what was entrusted to it.
The new owners promise to guard what remains more carefully. For the 6.9 million people whose genetic data has already circulated, one question no settlement can answer remains: how do you protect something that, once exposed, can never be hidden again?
Sources: New York Attorney General, BleepingComputer, The Record.
#StaySafe
🙏🖖