Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

23andMe settles genetics breach: $18M, 43 states

Multistate AG coalition led by New York's Letitia James. Settlement resolves claims over the 2023 credential-stuffing breach that exposed 6.9M customers' genetic profiles.

23andMe settles genetics breach: $18M, 43 states
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 2 min read

23andMe settled with 43 state attorneys general Thursday. $18 million cash, plus mandated security controls the company should have had in 2023.

Confirmed via BleepingComputer’s reporting: the settlement resolves state-AG claims tied to the 2023 credential-stuffing breach that ultimately exposed 6.9 million customers’ genetic profiles. Coalition led by New York AG Letitia James. Announced 2026-07-16.

Timeline

  • April–September 2023. Credential-stuffing campaign runs against 23andMe accounts for roughly five months. Not detected in that window.
  • October 2023. 23andMe discloses the breach. Initial company position: user password reuse, not a company failure.
  • Later 2023. Scope widens to 6.9 million customers once ancestry-profile linkage across accounts — pulled via the DNA-Relatives feature — is factored into the affected count.
  • 2024. Records offered for sale on dark-web forums.
  • Post-2024. Company restructures; the entity signing today’s settlement is Chrome Holding Co., 23andMe’s post-restructure successor.
  • 2026-07-16. $18 million multi-state settlement announced.

What the AGs’ investigation found

Per the state-AG coalition, 23andMe was operating in 2023 without:

  • Password blocklists or multi-factor authentication.
  • Rate-limiting or intrusion-prevention on the login path — the direct enabler of the credential-stuffing run.
  • Breach-detection monitoring capable of flagging five months of anomalous login traffic.
  • Any response process for unusual login activity.
  • Remediation of known vulnerabilities.

That is the coalition’s public finding. Unconfirmed: whether 23andMe’s contemporaneous internal risk register matched or diverged from this specific enumeration — treat the AGs’ list as the authoritative public record until anything from inside the company surfaces to contradict it.

What the settlement requires

  • Data-security advisory board with independent review authority.
  • Formal risk-analysis protocols on the customer-authentication and data-access paths.
  • Consumer right to compel deletion of held data.
  • $18 million cash, allocated among the 43 participating states — per-state allocation not disclosed.

Quote from NY AG Letitia James, per the release: “Companies have a duty to protect their customers’ personal information from hackers.”

Why the number matters

$18 million is the state-AG resolution. It is a distinct track from any private class-action figures 23andMe has resolved separately, and the security obligations attached here bind Chrome Holding Co. going forward — not just to the states that signed today’s deal.

The enforcement model is what should register for anyone holding genetics, biometric, or health data at similar scale. Forty-three state AGs acting jointly under state consumer-protection statutes against a breached genetics company is now precedent for the next one. The specific defensive-gap list above should be read as an enforcement checklist, not a set of suggestions.

Sourcing

Found this useful? Share it.