
A bipartisan coalition of 43 attorneys general has secured an $18 million settlement with genetic testing company 23andMe over its failure to adequately protect customer data before the company's 2023 breach.
The agreement also requires new cybersecurity and governance measures for the organization now responsible for managing the genetic information of millions of users.
New York Attorney General Letitia James announced the settlement resolving a multistate investigation launched after 23andMe disclosed in October 2023 that attackers accessed sensitive customer information belonging to approximately 6.9 million people. The breach affected 305,245 New York residents and exposed personal data, including genetic ancestry information, with some records later appearing for sale on dark web marketplaces.
The investigation found that 23andMe failed to implement several basic security controls that could have prevented or detected the credential-stuffing attack. According to the attorneys general, the company did not screen passwords against known breached credentials, require multifactor authentication, adequately monitor for suspicious login activity, investigate unusual authentication patterns, or promptly remediate known vulnerabilities.
Founded in 2006, 23andMe is one of the world's largest consumer DNA testing companies, storing genetic and personal information for millions of customers.
The 2023 breach began when attackers used usernames and passwords stolen from unrelated breaches to access customer accounts without multifactor authentication. They then abused 23andMe's DNA Relatives feature to collect profile information linked to those accounts, dramatically increasing the number of affected users.
Investigators also criticized the company's response, saying it took months to identify the breach after stolen data had already become publicly available. They noted that 23andMe initially disputed reports of a breach before later confirming the incident.
Under the settlement, the company will pay $18 million to participating states, including more than $705,000 to New York, and implement stronger security measures. These include enhanced risk assessments, a dedicated data security advisory board, and continued support for customers who choose to delete their personal and genetic information.
The settlement follows 23andMe's March 2025 bankruptcy filing, which prompted legal action from multiple states over the future of its genetic database. The company's customer data was ultimately transferred to TTAM Research, a nonprofit founded by former CEO Anne Wojcicki that has since been renamed the 23andMe Research Institute. The new organization will also be subject to the settlement's security requirements.
Customers are advised to enable multifactor authentication, use unique passwords, monitor accounts for suspicious activity, and consider deleting their genetic data if they no longer want it retained.







Leave a Reply