Skip to main content
Emerging ThreatsData Breaches

23andMe Breach Settlement Imposes $18 Million Penalty

Locked file cabinet in a corporate office setting, symbolizing secure personal data storage.

"Companies have a duty to protect their customers' personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures," New York Attorney General Letitia James said.

The breach: 6.9 million customers, April–September 2023

In October 2023, 23andMe — which the filing identifies as now operating under the corporate name Chrome Holding Co. — disclosed a large-scale data breach tied to credential-stuffing attacks that went undetected for roughly five months. Investigators found the attacks ran from April 2023 to September 2023 and resulted in the theft of data belonging to 6.9 million customers, including genetic ancestry information. Portions of that stolen data were later offered for sale on the dark web, and the attackers leaked millions of genetic profiles as proof of legitimacy.

Multistate investigation: missing basic safeguards

A coalition of 43 state attorneys general launched a multistate investigation after the breach disclosure and concluded the company had failed to deploy basic protections against credential-based attacks. The investigators reported that 23andMe lacked password blocklisting and multifactor authentication and did not have adequate rate limiting, intrusion prevention, or breach-detection monitoring in place. They also found the company failed to address unusual login activity and did not remediate known vulnerabilities. According to Attorney General James, the company initially denied that a breach had occurred and later attributed the incident to customers' account and password practices.

Settlement terms: $18 million and mandated security governance at TTAM

As a result of the investigation, Chrome Holding Co. agreed to an $18 million settlement with the coalition of 43 attorneys general. The settlement secures new security requirements at TTAM, including the establishment of a data security advisory board, the implementation of risk analysis protocols, and the preservation of continued consumer rights to delete their data. Attorney General James framed the settlement as both a penalty and a set of rules intended to protect customers going forward: "New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet. As a result of our coalition's action, 23andMe will pay for violating the law and strict rules will be put in place to protect their customers."

Legal and financial cascade: lawsuits, bankruptcy, fines, and an acquisition

The 2023 breach triggered multiple legal and regulatory actions. In November 2023, the company amended its Terms of Use to make it harder to sue, which the company said at the time was intended only to simplify arbitration. In September 2024, 23andMe agreed to pay $30 million to settle one proposed class-action lawsuit stemming from the breach. Financial distress followed: the company filed for Chapter 11 bankruptcy in March 2025 and announced plans to sell its assets. New York's attorney general and the coalition filed claims related to those proceedings, and in June 2025 James and 27 other attorneys general sued to protect customers' genetic data during the bankruptcy process. Regulators outside the United States also acted — the UK Information Commissioner's Office fined 23andMe £2.31 million (reported as $3.12 million) in June 2025 over what the ICO called 'serious security failings' that led to a 'profoundly damaging' breach. In July 2025, the TTAM Research Institute nonprofit, re-registered as the 23andMe Research Institute and led by 23andMe co-founder Anne Wojcicki, completed an acquisition of the company's assets after agreeing to pay $305 million.

What this means for technologists, regulators, and customers

  • Technologists and security teams: the investigation's findings highlight specific technical controls singled out as absent — password blocklisting, multifactor authentication, rate limiting, intrusion prevention, and breach-detection monitoring — which the settlement now binds to TTAM's operations.
  • Regulators and attorneys general: the case demonstrates coordinated multistate action (43 attorneys general) and cross-border enforcement (the UK ICO fine), culminating in both a monetary settlement and mandated governance changes as remedies.
  • Customers and consumers of genetic testing services: the record shows millions of genetic profiles were stolen and some were placed on the dark web; under the settlement, consumers retain the explicit right to delete their data and will be covered by the newly required security governance at TTAM.

The $18 million settlement closes one chapter in a cascade that included class actions, a creditor-driven bankruptcy, a regulatory fine in the United Kingdom, and a $305 million asset sale — but it also erects a framework of required controls and governance at TTAM and preserves deletion rights for affected customers. Enforcement of those new requirements and whether they prevent a repeat of credential-stuffing intrusions will be the practical tests of the settlement's effectiveness.

Original story: BleepingComputer — 23andMe to pay $18 million in new genetics data breach settlement