23andMe Faces Data Breach Settlement Following Major Cyberattack
In October 2023, genetic testing company 23andMe experienced a significant data breach, compromising the personal information of approximately half of its 14 million customers. Hackers employed a credential stuffing attack, a common technique that takes advantage of users’ reused passwords across different platforms, to infiltrate accounts. This event has triggered a massive legal settlement, now opening pathways for affected customers to file claims that could amount to as much as $10,000 each.
The San Francisco-based company allows users to submit genetic samples to gain insights into their ancestry and genetic health. Following the breach, concerns were raised regarding the adequacy of the company’s security measures. A lawsuit filed in January 2024 accused 23andMe of failing to adequately protect sensitive information and of neglecting to inform certain customers—particularly those with Chinese or Ashkenazi Jewish heritage—about the specific targeting of their data. As a result, the company agreed to a $30 million settlement to resolve the claims.
According to a spokesperson for 23andMe, “We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident. We continue to believe this settlement is in the best interest of 23andMe customers and look forward to finalizing the agreement.” This substantial settlement underscores the challenges faced by organizations in safeguarding customer data against increasing cybersecurity threats.
The breach specifically affected around 6.9 million customers. To qualify for compensation, claimants must have been US residents on August 11, 2023. The breach’s impact was notably severe for about 5.5 million users who utilized 23andMe’s DNA Relatives feature, while another 1.4 million were involved with the Family Tree service.
As part of the settlement, customers could receive payments for verified hardships directly stemming from the breach. This includes costs associated with identity fraud or additional security measures, as well as mental health treatment linked to the resultant stress. Additionally, certain residents in Alaska, California, Illinois, and Oregon—states with genetic privacy laws—can apply for payment due to specific local regulations, expected to be around $100.
Apart from monetary compensation, 23andMe will also provide affected users with three years of a security monitoring service dubbed Privacy Shield, which will offer significant web and dark web surveillance. This move reflects a growing recognition among companies of the importance of offering remedial services following data breaches.
Customers looking to file a claim can utilize an official online portal established by Kroll Restructuring Administration. This includes options for submitting claims electronically or via traditional mail. Claimants are urged to act before the July 14, 2025 deadline to secure their potential compensation.
In assessing the cybersecurity implications of the 23andMe breach, it is pertinent to consider the tactics involved through the lens of the MITRE ATT&CK framework. Initial access through credential harvesting, followed by user account enumeration, exemplifies common adversary tactics used during such breaches. The reliance on identifiable and often reused credentials indicates persistent patterns in user behavior that can be exploited by cybercriminals.
As businesses increasingly navigate the complexities of digital security, incidents such as the 23andMe breach highlight the urgent need for robust security measures, public transparency, and customer support protocols to mitigate the risks posed by similar future threats.
