23andMe Genetic Data Breach Class Action
Case Overview
In October 2023, genetic testing giant 23andMe disclosed that cybercriminals had breached its platform via a credential-stuffing attack, exploiting recycled passwords to access user accounts and then leveraging the company's "DNA Relatives" feature to scrape data from approximately 6.9 million profiles. The stolen data included names, birth years, relationship labels, predicted ethnicities, and in some cases raw health-predisposition information — among the most sensitive personal data imaginable, as it is immutable and can implicate not just victims but their biological relatives. Hackers subsequently posted the data on dark web forums, with some datasets targeting users of specific ethnic backgrounds, raising additional discrimination and harassment concerns.
Multiple class action lawsuits were consolidated in the Northern District of California, with plaintiffs alleging negligence, breach of contract, violation of California's Confidentiality of Medical Information Act (CMIA), and failure to comply with state consumer protection statutes. A $30 million settlement was preliminarily approved in September 2024, though it faced scrutiny from the court over per-claimant payout amounts given the scale of those affected. 23andMe's financial instability — the company filed for Chapter 11 bankruptcy in March 2025 — has further complicated the litigation and raised urgent questions about what will happen to the vast genetic database the company holds.
Who May Qualify
U.S. residents who had a 23andMe account and whose personal or genetic data was accessed or exposed in the October 2023 data breach. This includes individuals whose DNA Relatives profile data was scraped even if their direct login was not compromised.
Frequently Asked Questions
Was my 23andMe data exposed in the breach?
23andMe notified affected users by email, but the breach impacted approximately 6.9 million people — about half of its total user base at the time. If you had the DNA Relatives feature enabled, your profile data may have been scraped even if your account credentials were not directly compromised. You can check your account notification history or contact 23andMe support.
Can I still file a claim if 23andMe is in bankruptcy?
23andMe's Chapter 11 bankruptcy filing in March 2025 complicates but does not eliminate victims' rights. The $30 million settlement fund was established before the bankruptcy, and class members may still be able to submit claims. However, the bankruptcy proceedings could affect the final payout amounts and timeline. It is advisable to monitor the official settlement website for updates.
What makes a genetic data breach more serious than a typical data breach?
Unlike passwords or credit card numbers, your DNA cannot be changed. A genetic data breach exposes immutable biological information that reveals health predispositions, ancestry, and family relationships — and that exposure is permanent. It can also affect relatives who never consented to share their data, making the harm uniquely far-reaching.