23andMe to pay $18 million after 43 states found 'flimsy' security let hackers steal 6.9 million profiles

A coalition of state attorneys general says the DNA testing firm lacked basic protections like multifactor authentication before the 2023 breach that exposed genetic data on nearly seven million customers.

ThreatVectr Newsdesk· 4 min read
Full-frame edge-to-edge photoreal news-editorial image of a laboratory glass vial containing a coiled DNA double helix model, sitting on a dark reflective surfa
Share

Key points

  • 23andMe, now trading as Chrome Holding Co., will pay $18 million to settle claims from 43 US state attorneys general over its 2023 data breach.
  • Hackers stole personal and genetic ancestry data on 6.9 million customers between April and September 2023, using stolen passwords from other sites.
  • New York Attorney General Letitia James said the company lacked basic safeguards, including multifactor authentication and password blocklisting.
  • 23andMe already paid $30 million in September 2024 to settle a class action, and was fined £2.31 million by the UK's Information Commissioner's Office in June 2025.
  • The TTAM Research Institute, led by co-founder Anne Wojcicki, bought the company's assets for $305 million in July 2025 after a March 2025 bankruptcy filing.

The genetic testing company 23andMe has agreed to pay $18 million to settle a joint investigation by 43 state attorneys general into the 2023 breach that exposed the DNA and family history data of nearly seven million customers.

The settlement, announced by New York Attorney General Letitia James, follows a multistate investigation that found the company left customer accounts wide open to a fairly basic form of attack.

Here is what happened. Between April and September 2023, criminals ran what is called a credential stuffing attack against 23andMe. That means they took usernames and passwords already leaked from other websites and tried them, in bulk, on 23andMe accounts. When customers had reused a password, the attackers walked straight in.

The intrusion ran for five months before anyone at the company noticed. By the time it was disclosed in October 2023, the hackers had scraped data on 6.9 million people, including genetic ancestry information. Chunks of it later turned up for sale on dark web forums, with the attackers publishing millions of profiles as proof the haul was real.

Why did the attack work?

23andMe did not have the ordinary defences you would expect at a company holding this kind of data.

Investigators found the firm was not using multifactor authentication, the extra login step, usually a code from a phone, that stops a stolen password on its own from being enough. It also had no password blocklist to reject weak or already-leaked passwords, no meaningful rate limiting to slow down automated login attempts, and no working breach-detection monitoring.

James said 23andMe also ignored unusual login activity and failed to fix known flaws in its own systems. When customers first raised the alarm, the company denied a breach had occurred. It then pinned the blame on customers for reusing passwords.

"Companies have a duty to protect their customers' personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures," James said in a statement first reported by BleepingComputer.

What does the settlement actually change?

Beyond the $18 million payment, the deal forces the buyer of 23andMe's assets, now operating as TTAM, to put real security controls in place.

That includes a data security advisory board, formal risk analysis procedures, and a continued right for customers to delete their genetic data on request. New York alone will receive a share of the payout, with the rest split among the 42 other participating states.

This is not the first bill 23andMe has paid over the breach. In September 2024, the company agreed to a separate $30 million class action settlement. In June 2025, the UK's Information Commissioner's Office (ICO), Britain's data protection regulator, fined 23andMe £2.31 million (about $3.12 million) for what it called "serious security failings" behind a "profoundly damaging" breach.

The company filed for Chapter 11 bankruptcy in March 2025. Four months later, the TTAM Research Institute, a nonprofit led by co-founder Anne Wojcicki, completed a $305 million purchase of the business and has since re-registered as the 23andMe Research Institute.

What should affected customers do?

If you ever used 23andMe, assume your login details and at least some of your profile data are floating around.

Change the password on your 23andMe account, and change it anywhere else you reused the same one. Turn on multifactor authentication in your account settings. If you no longer want the company to hold your genetic information, request deletion directly, a right the settlement preserves. Watch for phishing emails that reference genuine details from your ancestry results, because those specifics make scam messages far more convincing.

© 2026 Threat Vectr