23andMe Settles with 43 States for $18M After Data Breach

23andMe Reaches $18M Bankruptcy Settlement Over 2023 Data Breach

HIGH
July 18, 2026
4m read
Data BreachRegulatoryCloud Security

Impact Scope

People Affected

nearly 7 million customers

Affected Companies

23andMe

Industries Affected

HealthcareTechnology

Geographic Impact

United States (national)

Related Entities

Organizations

Pennsylvania Attorney General

Other

23andMe TTAM Research Institute

Full Report

Executive Summary

The genetic testing company 23andMe has reached an $18 million bankruptcy settlement with a coalition of 43 state attorneys general, led by Pennsylvania and Oregon. The settlement addresses the company's security failures that led to a major data breach in 2023. Attackers used a credential stuffing technique to compromise user accounts, ultimately exposing the sensitive genetic and personal data of nearly seven million customers. The investigation found that 23andMe's lack of basic security controls, like mandatory multi-factor authentication (MFA), directly contributed to the breach's success.

Threat Overview

The data breach, first identified by 23andMe in October 2023, was not a direct hack of its servers. Instead, attackers used lists of usernames and passwords stolen from other, unrelated data breaches and systematically tried them against 23andMe accounts. This credential stuffing attack was successful because many users had reused passwords across different services. Once inside an initial set of accounts, attackers were able to pivot and access even more data through a feature that allowed users to connect with relatives. The stolen data, including genetic ancestry information, was later offered for sale on the dark web.

Technical Analysis

The primary attack vector was T1110.003 - Brute Force: Credential Stuffing. This technique automates the process of testing large volumes of stolen credentials against a target website. The success of this attack highlights several security deficiencies at 23andMe at the time:

  • Lack of Mandatory MFA: The company did not require users to enable MFA, which would have blocked the vast majority of these automated login attempts, even with correct passwords.
  • Insufficient Credential Monitoring: The investigation noted a failure to check user passwords against known lists of breached credentials, a practice that can prevent the use of common or previously compromised passwords.
  • Weak Login Throttling: The platform likely did not have adequate mechanisms to detect and block the high volume of failed login attempts characteristic of a credential stuffing attack.

Impact Assessment

The breach had a severe impact on nearly 7 million customers, including almost 200,000 in Pennsylvania alone. The exposed data is highly sensitive and immutable; unlike a password, genetic information cannot be changed. This puts affected individuals at lifelong risk of being targeted based on their genetic data, health predispositions, and family connections. For 23andMe, the incident led to significant financial distress, culminating in bankruptcy proceedings where its consumer data was sold to the TTAM Research Institute.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were mentioned in the source articles.

Cyber Observables — Hunting Hints

To detect credential stuffing attacks, organizations should monitor for:

Type
log_source
Value
Authentication Logs
Description
A high rate of failed login attempts from a single IP address or a distributed set of IPs.
Type
log_source
Value
Authentication Logs
Description
A low ratio of successful to failed logins, but with a high absolute number of successes from many different IPs.
Type
user_agent
Value
Inconsistent or unusual User-Agent strings in login requests.
Description
Attack tools often use generic or outdated user agents.

Detection & Response

  • D3FEND: Authentication Event Thresholding (D3-ANET): Implement velocity checks and rate limiting on login pages. For example, temporarily block an IP address after a certain number of failed login attempts in a short period.
  • D3FEND: User Geolocation Logon Pattern Analysis (D3-UGLPA): Analyze login locations to detect impossible travel scenarios (e.g., a user logging in from two different continents within minutes).
  • Bot Detection: Utilize a bot management solution to distinguish between human users and automated scripts attempting to perform logins.

Mitigation

  • D3FEND: Multi-factor Authentication (D3-MFA): The single most effective defense. Mandate MFA for all user accounts to render stolen passwords useless without the second factor.
  • D3FEND: Strong Password Policy (D3-SPP): Enforce strong, unique passwords and check new or changed passwords against a database of known breached credentials to prevent reuse.
  • Credential Stuffing Protection: Deploy specialized services that monitor for and block credential stuffing attacks at the network edge.
  • User Education: Regularly remind users about the importance of using unique passwords for every online service and enabling MFA wherever possible.

Timeline of Events

1
October 1, 2023
23andMe discovers the data breach resulting from credential stuffing attacks.
2
July 17, 2026
An $18 million bankruptcy settlement with 43 states is announced.
3
July 18, 2026
This article was published

MITRE ATT&CK Mitigations

The most effective control against credential stuffing. Requiring a second factor prevents access even if the password is correct.

Implementing checks against known breached passwords prevents users from choosing credentials that are already compromised and likely to be used in stuffing attacks.

While this is a server-side attack, the principle applies to service-side behavioral analytics, such as detecting high rates of login failures (bot detection).

Timeline of Events

1
October 1, 2023

23andMe discovers the data breach resulting from credential stuffing attacks.

2
July 17, 2026

An $18 million bankruptcy settlement with 43 states is announced.

Sources & References

PA Settles After 23AndMe Data Breach
LevittownNow.comJuly 17, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

23andmedata breachcredential stuffingsettlementmfagenetic data

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.