23andMe agrees to $30 million settlement over data breach that affected 6.9 million users

Ancestry and genetics-testing company 23andMe has agreed to pay a $30 million settlement after a class-action lawsuit was brought against the company for last year's data breach.

The settlement, which is pending a judge's approval, comes after the company confirmed in October that "threat actors" used about 14,000 accounts, approximately 0.1% of the company's user base, to access the ancestry data of 6.9 million connected profiles. Leaked data included users' account information, location, ancestry reports, DNA matches, family names, profile pictures, birthdates and more.

While 23andMe confirmed the existence of the breach in October, it did not reveal the full extent of the issue until December. A class-action suit was filed in San Francisco the following month, accusing 23andMe of failure to amply protect users' personal information. It also accused 23andMe of neglecting to notify certain users that data from people with Chinese or Ashkenazi Jewish heritage appeared to be targeted in the breach.

Here's what to know about the breach and the class-action suit.

Class-action lawsuit

The class-action lawsuit filed in January accuses 23andMe of inadequately protecting user data and failing to notify affected parties in time, among other complaints.

Terms of the settlement include payment to those affected by the security incident to cover expenses like those incurred fighting identity theft, installing physical security systems, or seeking mental health treatment; payments to those living in states with genetic privacy laws; payments to all those who had health information leaked; and three years of access to state of the art "Privacy & Medical Shield + Genetic Monitoring" for all settlement members who enroll.

The company admitted to no wrongdoing as part of the agreement to pay $30 million to affected parties.

As of Monday, a judge still has to approve the deal. If approved, more information will be released for affected parties looking to get in on the legal action.

"We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident," 23andMe told USA TODAY in a statement. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement."

The company also said that roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.

23andMe data breach

In October, 23andMe said via its website that an outside entity had stolen information from customers using its DNA Relatives feature. The company temporarily disabled the service, saying it believed "threat actors" had gained access using a technique called credential stuffing, in which they used usernames and passwords that had already been exposed via other websites' data breaches or otherwise became available.

“We believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” 23andMe wrote on its website at the time.

In December, 23andMe revealed the extent of the breach, saying ancestry data of 6.9 million people had been affected, 5.5 million of whom were users who opted into 23andMe's "Relatives" feature, which links people with common DNA. Another 1.4 million users also had their family tree information accessed.

"We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks," a company spokesperson said in an email at the time.

What was exposed in the data breach?

The accessed data contained personal and family information according to the company, including:

DNA relatives' profile information

• Display name
• How recently they logged into their account
• Their relationship labels
• Their predicted relationship and percentage DNA shared with their DNA Relatives matches
• Their ancestry reports and matching DNA segments, specifically where on their chromosomes they and their relative had matching DNA
• Self-reported location (city/zip code)
• Ancestor birth locations and family names
• Profile picture, birth year
• A weblink to a family tree they created, and anything else they may have included in the “Introduce yourself” section of the profile

Family tree information

• Display name
• Relationship labels
• Birth year
• Self-reported location (city/zip code)

Contributing: Amaris Encinas and James Powel, USA TODAY