23andMe has offered to create a higher settlement fund to take care of the U.S. lawsuit associated with its 2023 data breach, putting an additional $20 million into the $30 million settlement offered in 2024. The federal court judge approved the $30 million settlement in December 2024.
The data breach (not covered by HIPAA laws as 23andMe is not a healthcare organization) started in April 2023 and concerned unauthorized access to client accounts for about 5 months due to a credential stuffing attack. The incident affected around 7 million clients, 6.4 million of whom were from the United States. The compromise of client accounts happened because they used the same password on platforms that had been compromised. Although credential stuffing attacks take advantage of platform users’ poor password habits, 23andMe was blamed for having insufficient security, for example, not using multi-factor authentication to secure accounts.
Before 23andMe filed for bankruptcy, the parties had already agreed on the $30 million settlement, which the court approved. In March 2025, the company filed for Chapter 11 bankruptcy protection to increase value via a court-monitored sale. In July 2025, A nonprofit group, under the leadership of ex-23andMe CEO Anne Wojcicki, bought the 23andMe for $305 million. The sale made more assets available to pay for claims filed by people impacted by the data breach.
After the agreement on the earlier settlement, 23andMe class members who provided evidence of losses filed over 250,000 legitimate claims. A higher amount of settlement will pay back the majority of U.S. claims, stated by 23andMe’s lawyers, who said the profits from the company sale are the only financial source to aid the victims’ recovery from the data breach. As a result, they are hoping the judge will approve the adjusted settlement.
Besides offering compensation for documented, out-of-pocket expenditures sustained due to the data breach, the settlement pays claims that 23andMe failed to tell clients with Ashkenazi Jewish and Chinese ancestry that the hacker is targeting, and that their stolen information was offered for purchase on the dark web.
Aside from getting paid for losses, class members can also sign up for CyEx’s Privacy & Medical Shield + Genetic Monitoring program for five years, which was particularly created for 23andMe clients impacted by the data breach. The package offers improved protection, which includes dark web monitoring, genetic anomaly detection, and identity theft monitoring services. Wojcicki mentioned the adjusted settlement closely monitors the settlement offered and accepted in 2024. The new proposed settlement is waiting for the court’s preliminary approval.
23andMe likewise requested the Missouri bankruptcy judge to okay another $3.25 million or Can$4.49 million settlement to take care of a class action lawsuit in Canada, which will settle with 300,000 Canadian residents impacted by the data breach.
Image credit: ipopba, AdobeStock / logo©23anMe
