On July 14, a coalition of 42 state attorneys general, led by Pennsylvania’s Dave Sunday, announced an $18 million settlement with what remains of 23andMe, resolving state claims over the 2023 breach that exposed the genetic and family data of 6.9 million people — and, in slow motion, the company itself.

Do the arithmetic the press releases don’t: $18 million across 6.9 million affected people is about $2.60 per person. That’s the going rate, in the bankruptcy of a genetic testing company, for the exposure of the one dataset you can never rotate, reset, or reissue.

The breach, briefly — and why “hack” flatters it

The 2023 incident wasn’t a sophisticated intrusion. Attackers used credential stuffing: they took username-and-password pairs already leaked from other services (including, investigators found, the earlier MyHeritage breach — a genealogy-site breach feeding an attack on another genealogy site) and replayed them against 23andMe login pages until roughly 14,000 accounts opened.

Fourteen thousand cracked accounts became 6.9 million victims because of 23andMe’s own social architecture. The DNA Relatives feature — the product’s central selling point — let each compromised account view profile data of genetic relatives: roughly 5.5 million people via DNA Relatives and another 1.4 million through Family Tree. Names, birth years, relationship labels, ancestry percentages, and for many users their self-reported locations. The attacker then advertised curated slices of the data for sale, including lists targeting users of Ashkenazi Jewish and Chinese ancestry — a detail that should permanently retire the idea that ancestry data is trivia.

The states’ investigation catalogued what 23andMe didn’t have in 2023, and it reads like a checklist from a freshman security course. The company failed to:

  • require or even meaningfully encourage multi-factor authentication
  • check passwords against known-breached credential lists
  • deploy rate limiting or intrusion prevention that would flag thousands of automated login attempts
  • monitor for the suspicious pattern of one session methodically scraping millions of relative profiles

As AG Sunday put it: “This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so” — before criticizing the company’s initial instinct, which was to blame users for reusing passwords.

Why the settlement is small, and what it actually buys

The number is $18 million rather than $180 million for one reason: there’s almost nothing left. 23andMe filed for bankruptcy in March 2025, and the states are creditors in a line of creditors. The settlement is paid from the estate’s finite funds, with allocations tracking each state’s claim — from $1.3 million to Texas down to about $149,000 for South Dakota. Pennsylvania, with 192,093 affected residents, receives $491,902.

It stacks on top of the $46.75 million class-action settlement approved in the bankruptcy earlier this month for consumers who filed claims by February 17, 2026. If you missed that deadline, this week’s news does not reopen it — the states’ money goes to the states.

The more consequential terms aren’t monetary. The company’s data — the actual genotype files of some 15 million customers — was sold in bankruptcy to TTAM Research Institute, the nonprofit founded by 23andMe co-founder Anne Wojcicki (since rebranded the 23andMe Research Institute). The attorneys general helped attach binding conditions to that sale, and the settlement reinforces them: a mandated information security program, ongoing risk assessments, an advisory board with oversight of data practices, binding privacy commitments, and — most importantly — preserved, functioning consumer deletion rights.

The lesson nobody can un-learn

Genetic data breaks every assumption underlying ordinary breach response:

  1. It cannot be changed. A leaked password is a nuisance; a leaked genome is permanent. There is no “reset your DNA” flow, and the fraud-monitoring subscription that settles most breaches is a category error here.
  2. It is never just yours. Every 23andMe customer who got scraped exposed information about parents, siblings, and children who never created an account, never clicked an EULA, and have no standing in any settlement. Consent frameworks built for individual accounts simply do not fit data that is inherently familial.
  3. It outlives the company that collected it. The deepest lesson of the 23andMe saga isn’t the breach — it’s the bankruptcy. When a data company dies, its database is an asset, and bankruptcy courts exist to sell assets. The guardrails on the TTAM sale exist only because state AGs fought for them; the default path was an open auction of 15 million genomes to the highest bidder.

If your data was in it

  • The class-action claims window (February 17, 2026) has closed; this settlement adds nothing to individual pockets.
  • Your deletion right survives the sale and the settlement affirms it: log in to the (now TTAM-operated) service, request account and data deletion, and revoke research consent and sample storage while you’re there. Do it even though the horse has left — it limits every future incident.
  • If you reused your 23andMe-era password anywhere, assume it’s in circulation. Unique passwords and MFA everywhere; this entire catastrophe began with recycled credentials.

And if a relative asks whether they should spit in a tube for fun: the honest answer, priced by 42 attorneys general this week, is that the downside is permanent, hereditary, and currently compensated at $2.60 a head.