23andMe agreed to settle a class action lawsuit related to a 2023 breach of customer information. The breach happened in October 2023 and involved the theft of the records of roughly 6.9 million people, about one half of its customers. There was no security breach of 23andMe’s systems; however, a threat actor carried out a credential stuffing attack, which permitted gaining access to some client accounts. Approximately 14,000 individual accounts were breached, which accounts for around 0.1% of the company’s clients.
When the security breach was identified, 23andMe blamed the poor security practices of its customers. The accounts could only be accessed if the affected clients had used similar username/password combinations that had been used to protect accounts on varied platforms. If those third-party platforms encountered data breaches and theft of credentials, they can be used to sign into other accounts where the credentials were used, which in this instance was 23andMe.
Information obtained from those accounts involved uninterrupted raw genotype information, health predisposition studies, and carrier-status reports. The threat actor also took advantage of the DNA Relatives feature, which enables people to find their DNA relatives. Using that feature, the threat actor viewed the profile records of about 5.5 million 23andMe consumers plus the Family Tree details of another 1.4 million individuals. The threat actor then made the datasets available for sale, including clients with Jewish and Chinese ancestry.
23andMe faced more than 2 dozen lawsuits because of the data breach (not covered by HIPAA as 23andMe is not a healthcare provider). The plaintiffs’ lawyers said that the Jewish datasets offered for sale may be used as a list to attack Jews, while the Chinese dataset can be employed by the People’s Republic of China intelligence agencies to target dissidents. Although access to the 14,000 accounts was caused by customers’ password reuse, attorneys for the plaintiffs contended that 23andMe should have implemented more protection for users’ sensitive data.
They alleged that 23andMe should have been mindful of a likely cyberattack, should have taken action to minimize risk, and should have put in place appropriate data breach measures. The firm should have notified clients with Jewish and Chinese identities that the datasets were leaked and that they could be targeted. The lawsuits likewise claimed that 23andMe lied regarding data security and did not put in place protections as per industry requirements, then lied about the magnitude and severity of the breach.
Lawyers for the plaintiffs and class asserted that, as per the Illinois Genetic Information Privacy Act, some of the class were supposed to be paid up to $3 billion in damages. In its annual report, 23andMe revealed that the company has close to $216 million in cash; thus, continuing the legal action may result in 23andMe filing for bankruptcy.
The court gave preliminary approval of a $30 million settlement before 23andMe filed for bankruptcy in March 2025 to increase its value via a court-monitored sale. A nonprofit organization led by former 23andMe CEO Anne Wojcicki purchased 23andMe for $305 million in July 2025. The sale made available more assets to pay for claims filed by people impacted by the data breach.