23andMe’s massive data breach exposed millions of users’ genetic details and triggered lawsuits, a stalled $30 million settlement, and a high-profile bankruptcy.
At a Glance
- 23andMe suffered a breach exposing DNA-linked data of 7 million users
- Hackers accessed data via credential stuffing and exploited family-matching features
- Users can file claims for up to $10,000 by July 14, 2025
- A $30 million settlement is paused due to bankruptcy proceedings
- Free genetic identity monitoring is included in the proposed settlement
Inside the Genetic Leak
In 2023, genetic testing giant 23andMe fell victim to a targeted cyberattack that compromised sensitive data from millions of users. Hackers used a method called credential stuffing, exploiting reused passwords to access 14,000 accounts and, through its DNA Relatives tool, exposed the ancestry and familial DNA connections of roughly 6.9 million individuals.
The stolen data included names, relationship labels, and shared DNA information. One attacker allegedly tried to sell one million user records on the dark web, prompting investigations by UK and Canadian data authorities. 23andMe attempted to shift blame, claiming some users had “negligently recycled and failed to update their passwords,” drawing sharp backlash.
Watch a report: 23andMe HACKED! Your DNA Data STOLEN?! (The SHOCKING Truth).
The breach triggered a cascade of lawsuits and intensified scrutiny from privacy advocates. Meanwhile, customer confidence eroded as fears mounted over the misuse of genetic data.
Bankruptcy Cloud Over Compensation
On March 23, 2025, amid mounting legal costs and sagging revenues, 23andMe filed for Chapter 11 bankruptcy in the Eastern District of Missouri. The company’s financial woes were exacerbated by the poorly timed acquisition of Lemonaid Health, costing over $400 million. Several top executives also resigned during this turmoil.
As part of its legal obligations, 23andMe proposed a $30 million settlement to compensate affected customers. Payouts range from basic claims of around $4.35 to as much as $10,000 for victims of fraud or identity theft. Customers in California, Illinois, Oregon, and Alaska could receive about $100 each under their states’ privacy laws.
Though the settlement is currently paused due to bankruptcy, eligible individuals are encouraged to file claims by the July 14, 2025, deadline to retain eligibility.
Next Steps for Users
In response to public outcry, California Attorney General Rob Bonta advised users to “delete your data and destroy any samples” stored by 23andMe. Customers can request deletion through their account settings or contact support for further removal of genetic material.
The proposed settlement also includes three years of free identity monitoring through Privacy & Medical Shield + Genetic Monitoring, aimed at guarding against misuse of compromised genetic data.
As legal and legislative battles unfold, the 23andMe case continues to highlight the devastating risks of digital health breaches—and the lasting consequences when your DNA becomes data.
