The genetic testing firm has increased its proposed US settlement following a 2023 credential stuffing breach affecting millions.
According to Reuters, 23andMe has asked a bankruptcy court judge to approve a revised $50 million settlement to resolve US claims stemming from its 2023 data breach. The updated settlement adds $20 million to the $30 million figure preliminarily approved in December 2024. The breach was caused by a credential stuffing attack and exposed data from nearly 7 million customers, mostly in the United States.
23andMe filed for Chapter 11 bankruptcy in March 2025 and was sold in July for $305 million to a nonprofit led by former CEO Anne Wojcicki. The sale created additional funds, enabling the company to expand the original settlement.
The 2023 breach occurred when hackers accessed customer accounts using previously leaked credentials from other platforms. Although only 14,000 accounts were directly compromised, the platform’s “DNA Relatives” feature enabled the attackers to access profile and family tree information from over 6.9 million users.
Sensitive data, including raw genetic information, health predisposition reports, and ethnic heritage, were stolen. Certain datasets, especially those related to users of Chinese and Ashkenazi Jewish ancestry, were later offered for sale on dark web forums. Critics argued that 23andMe failed to implement multi-factor authentication and did not adequately warn targeted user groups.
Over 250,000 valid claims have since been submitted by affected individuals, with claims ranging from identity theft losses to emotional distress. In addition to cash reimbursements, the settlement includes access to a five-year Privacy & Medical Shield + Genetic Monitoring package through CyEx.
23andMe has also proposed a separate CAD 4.49 million settlement for 300,000 Canadian citizens affected by the breach.
According to 23andMe’s attorneys, the revised settlement will resolve the majority of US claims and represents the only available pool of compensation due to the company’s financial status. Wojcicki stated that the expanded agreement “closely tracks” the terms of the original settlement and reflects her continued commitment to affected users.
Credential stuffing involves using stolen login details from one platform to access accounts on another. 23andMe accounts were breached because many users reused passwords that had already been compromised elsewhere.
Facing mounting legal costs, falling share prices, and pressure from over two dozen lawsuits, 23andMe filed for Chapter 11 in March 2025 to manage claims and facilitate its sale.
CyEx is a third-party service offering identity theft protection, dark web monitoring, and genetic anomaly tracking for impacted users. A five-year enrollment is included in the revised settlement.
Yes. Affected individuals who exclude themselves from the class action settlement retain the right to pursue individual claims in court or arbitration.
The stolen datasets were organized by heritage, with specific targeting of individuals with Jewish and Chinese ancestry. Experts warn that this type of sorting raises broader concerns about misuse of genetic data for political, discriminatory, or state-level purposes.