23andMe settles genetics breach: $18M, 43 states
Multistate AG coalition led by New York's Letitia James. Settlement resolves claims over the 2023 credential-stuffing breach that exposed 6.9M customers' genetic profiles.
23andMe settled with 43 state attorneys general Thursday. $18 million cash, plus mandated security controls the company should have had in 2023.
Confirmed via BleepingComputer’s reporting: the settlement resolves state-AG claims tied to the 2023 credential-stuffing breach that ultimately exposed 6.9 million customers’ genetic profiles. Coalition led by New York AG Letitia James. Announced 2026-07-16.
Timeline
- April–September 2023. Credential-stuffing campaign runs against 23andMe accounts for roughly five months. Not detected in that window.
- October 2023. 23andMe discloses the breach. Initial company position: user password reuse, not a company failure.
- Later 2023. Scope widens to 6.9 million customers once ancestry-profile linkage across accounts — pulled via the DNA-Relatives feature — is factored into the affected count.
- 2024. Records offered for sale on dark-web forums.
- Post-2024. Company restructures; the entity signing today’s settlement is Chrome Holding Co., 23andMe’s post-restructure successor.
- 2026-07-16. $18 million multi-state settlement announced.
What the AGs’ investigation found
Per the state-AG coalition, 23andMe was operating in 2023 without:
- Password blocklists or multi-factor authentication.
- Rate-limiting or intrusion-prevention on the login path — the direct enabler of the credential-stuffing run.
- Breach-detection monitoring capable of flagging five months of anomalous login traffic.
- Any response process for unusual login activity.
- Remediation of known vulnerabilities.
That is the coalition’s public finding. Unconfirmed: whether 23andMe’s contemporaneous internal risk register matched or diverged from this specific enumeration — treat the AGs’ list as the authoritative public record until anything from inside the company surfaces to contradict it.
What the settlement requires
- Data-security advisory board with independent review authority.
- Formal risk-analysis protocols on the customer-authentication and data-access paths.
- Consumer right to compel deletion of held data.
- $18 million cash, allocated among the 43 participating states — per-state allocation not disclosed.
Quote from NY AG Letitia James, per the release: “Companies have a duty to protect their customers’ personal information from hackers.”
Why the number matters
$18 million is the state-AG resolution. It is a distinct track from any private class-action figures 23andMe has resolved separately, and the security obligations attached here bind Chrome Holding Co. going forward — not just to the states that signed today’s deal.
The enforcement model is what should register for anyone holding genetics, biometric, or health data at similar scale. Forty-three state AGs acting jointly under state consumer-protection statutes against a breached genetics company is now precedent for the next one. The specific defensive-gap list above should be read as an enforcement checklist, not a set of suggestions.
Sourcing
- BleepingComputer, 23andMe to pay $18 million in new genetics data breach settlement, 16 July 2026.
- New York Attorney General Letitia James, office (public statement), 16 July 2026.
- Broader breach-and-takedown coverage: /topics/threat-intel/.
Found this useful? Share it.


