The 23andMe data breach has left millions of users vulnerable, leading to a major legal settlement now complicated by the company’s bankruptcy filing.
Quick Takes
- The breach impacted nearly 7 million users, exposing sensitive information.
- 23andMe entered Chapter 11 bankruptcy amid declining sales and costly legal settlements.
- Affected users have until July 14, 2025, to file claims for financial compensation.
- Settlement amounts vary widely, with potentially up to $10,000 for extreme cases.
Data Breach Overview
A cyberattack exposed sensitive private information of around 7 million 23andMe users, utilizing a method known as “credential stuffing.” The breach affected approximately 14,000 individual accounts, and hackers exploited the “DNA Relatives” feature to access this data over five months without detection. Sensitive information such as names, relationship labels, ancestry reports, and DNA shared with relatives was compromised.
At least one hacker attempted to sell data from one million users on the dark web. This exposure prompted several class action lawsuits and significant customer mistrust, ultimately leading to a $30 million settlement in November 2024. Meanwhile, data protection authorities in both the UK and Canada are investigating the breach, adding international scrutiny to the issue.
“We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident."https://t.co/oSpb0fHaVk
— KHON2 News (@KHONnews) September 24, 2024
Implications of Bankruptcy
23andMe filed for Chapter 11 bankruptcy on March 23, 2025, in the Eastern District of Missouri, along with 11 subsidiaries, including Lemonaid Health. This move allows the company to restructure financially and operationally while continuing operations. However, the legal settlement related to the cyberattack has been put on hold due to the bankruptcy. The company’s financial issues were worsened by its expansion into digital health and telemedicine, including a $400 million acquisition.
Congress has voiced concerns about the privacy implications caused by 23andMe’s bankruptcy. Customers have likewise been advised to consider requesting the deletion of their data and the destruction of genetic material samples. Despite the financial turmoil and legal proceedings, the company assures it is protecting user data while trying to satisfy privacy concerns as best as possible.
So, 23andMe is settling a lawsuit for $30 million after a data breach last year that compromised the personal information of 6.4 million users. Hackers exploited 23andMe's "DNA relatives" feature, and then tried to sell the stolen data online. Some users, especially those who… pic.twitter.com/ax7Adjdobc
— Ernesto (@jeminjuey) September 14, 2024
Compensation and Claim Process
Impacted users have until July 14, 2025, to initiate claims for compensation resulting from the data breach. The compensation could vary from as little as $4.35 to up to $10,000, especially for those who suffered identity theft or fraudulent tax filings. Users residing in Alaska, California, Illinois, and Oregon may receive increased compensation due to the unique privacy laws in those states.
Affected users are also offered identity monitoring services for three years as part of the settlement through Privacy & Medical Shield + Genetic Monitoring. To preserve their right to compensation, users must submit formal proof of claim. The settlement is designed to ensure users receive financial restitution in light of the negligence that led to this massive breach.
Sources:
- 23andMe customers notified of bankruptcy and potential claims — deadline to file is July 14 | TechCrunch
- 23andMe Deadline—You Have Until July 14 To File A Claim
- 23andMe Data Breach Compensation – Submit a Claim
