23andme
Headquartered in Sunnyvale, California, the genetic testing company 23andMe has announced it is starting bankruptcy proceedings. Credit: Coolcaesar / WikiMedia Commons

23andMe reaches $18 million settlement with states for massive breach

A coalition of 42 state attorneys general on Tuesday said they reached an $18 million settlement with 23andMe for cybersecurity failings that led to a data breach exposing 6.9 million people’s information, including genetic ancestry data.

The agreement also requires new data protection measures from the 23andMe Research Institute, a nonprofit founded in May 2025 by 23andMe CEO Anne Wojcicki. The institute absorbed 23andMe’s assets, including genetic data.

The new requirements include undertaking risk assessments and appointing a special board to oversee data security. The settlement also requires that 23andMe customers maintain their right to throw out their genetic samples and delete personal data indefinitely.

23andMe didn’t learn of the October 2023 breach until months after it occurred. Some of the stolen data had been posted on the dark web.

“The company initially denied that a breach had occurred and, after confirming it, blamed consumers for how their accounts were configured and how passwords were used,” according to a press release from the office of New York Attorney General Letitia James.

The 42 attorneys general launched a multistate investigation days after the breach occurred and identified several 23andMe cybersecurity failings.

The company had no protections against hacks relying on stolen credentials, insufficient intrusion prevention measures, failed to do logging or monitoring for breaches and did not fix known vulnerabilities, James’ office said.

The firm also did not probe atypical login patterns or test new design features.

23andMe filed for bankruptcy protection in March 2025. 

In June, a Missouri bankruptcy court approved a settlement awarding millions of the breach’s victims a share of a $47 million fund.

In July 2025, the Wojcicki-led 23andMe Research Institute, then known as the TTAM Research Institute, paid $305 million for 23andMe’s assets. The sale included genetic data for customers who have not asked that their information be destroyed, according to a 2023 23andMe press release.

The institute has pledged to follow 23andMe’s privacy policy, which bars data from being shared with employers, insurers, public databases and law enforcement absent a court order, subpoena or search warrant.

It continues 23andMe’s practice of sharing and selling de-identified customer data to be used for biomedical research.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering digital privacy, surveillance technologies and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.