23andMe Lawsuit, 6.9 Million Had DNA Stolen—Claim Your $10,000 Before February 2026 Deadline

What Happened with the 23andMe Data Breach?

Nearly 7 million people had their genetic data stolen and sold on the dark web. Now, 23andMe is paying up to $50 million to settle the massive class action lawsuit—but you need to act fast.

In October 2023, hackers infiltrated roughly 14,000 individual 23andMe accounts through credential stuffing attacks, then used those compromised accounts to access profile information from approximately 6.9 million users through the DNA Relatives feature. Your name, ancestry data, genetic matches, and even health information may have been exposed.

If you were a 23andMe customer between May and October 2023, you could be entitled to compensation ranging from $100 to over $10,000. But the clock is ticking—the filing deadline is February 17, 2026.

Here’s what you need to know right now:

Settlement Amount: Up to $50 million (increased from original $30 million)
Filing Deadline: February 17, 2026
Who Qualifies: U.S. residents who were 23andMe customers between May 1-October 1, 2023
Compensation Range: $100-$10,265 depending on your situation
How to File: Online at 23andMeDataSettlement.com or by mail

Let’s break down everything you need to understand about this lawsuit, who’s affected, how much money you might receive, and exactly how to file your claim.

The Full Story: How Hackers Stole Genetic Data from Millions

What Actually Happened?

Between April and September 2023, hackers conducted a credential stuffing attack—using stolen usernames and passwords from other breached websites to access 23andMe accounts. Unlike a direct system breach, these criminals exploited customers who reused passwords across multiple sites.

Once inside those 14,000 accounts, the attackers used the DNA Relatives feature to access information from approximately 5.5 million profiles and Family Tree data from another 1.4 million users—totaling 6.9 million affected customers.

What Data Was Stolen?

The stolen information included display names, profile photos, birth years, locations, family surnames, grandparents’ birthplaces, ethnicity estimates, DNA haplogroups, and ancestry connections. For some users, health predisposition reports and raw genetic data were also compromised.

Here’s what makes this breach particularly disturbing: hackers specifically targeted customers with Chinese and Ashkenazi Jewish ancestry, posting their information for sale on dark web forums like BreachForums.

Why This Breach Is Different

Unlike stolen credit card numbers or passwords that can be changed, genetic information is permanent—you can’t change your DNA or reissue your genetic code like a credit card. This makes genetic data breaches uniquely damaging and long-lasting.

23andMe Lawsuit, 6.9 Million Had DNA Stolen—Claim Your $10,000 Before February 2026 Deadline

The 23andMe Class Action Lawsuit: How We Got Here

Timeline of Events

October 1, 2023: Hackers advertise stolen 23andMe data on Reddit and BreachForums

October 6, 2023: 23andMe confirms the breach publicly

December 2023: Company admits nearly 7 million users were affected

January 2024: First class action lawsuit filed in California

April 2024: More than 40 lawsuits consolidated into multidistrict litigation

September 2024: 23andMe agrees to $30 million settlement

March 2025: Company files for Chapter 11 bankruptcy

September 2025: Settlement increased to $50 million after company sale

October 2025: Court grants preliminary approval

Who Qualifies for the 23andMe Settlement?

Basic Eligibility Requirements

You must meet all of these criteria: You were a 23andMe customer between May 1, 2023 and October 1, 2023; you lived in the United States during that period; and you received a notice from 23andMe stating the breach compromised your personal information.

That’s roughly 6.4 million U.S. residents who could qualify.

Special Eligibility Categories

1. Statutory Claims (Alaska, California, Illinois, Oregon Residents)

If you lived in these four states during the breach period, you automatically qualify for a statutory payment of approximately $100—no proof of damages required. These states have genetic privacy laws with statutory damages provisions.

2. Health Information Claims

If you received notice from 23andMe that your health information was compromised, you’re eligible for a cash payment of up to $165. This applies to users whose raw genotype data or health predisposition reports were accessed.

3. Extraordinary Loss Claims

This is where the big money is. You can claim up to $10,265 if you suffered documented financial harm directly related to the breach.

What qualifies as extraordinary loss?

Identity fraud or falsified tax returns
Physical security systems purchased in response
Professional mental health treatment due to breach-related anxiety
Credit monitoring services
Other documented out-of-pocket expenses

How Much Money Can You Actually Get?

Compensation Breakdown

Claim Type	Amount	Requirements
Statutory Cash Claim	~$100	Resident of AK, CA, IL, or OR
Health Information Claim	Up to $165	Health data compromised
Extraordinary Loss (documented)	Up to $10,265	Proof of expenses
Extraordinary Loss (undocumented)	Up to $500	Self-attestation only

Plus: Free Privacy Monitoring

All class members can enroll in a five-year Privacy & Medical Shield + Genetic Monitoring program from CyEx, providing identity theft monitoring, dark web monitoring, and genetic anomaly detection services.

Reality Check on Payment Amounts

After the original settlement, 23andMe received over 250,000 valid claims. With the increased $50 million settlement fund, expect actual payments to be lower than maximum amounts depending on total claims filed.

The settlement website estimates:

Statutory claims: around $100 per person
Health information claims: around $165 per person
Extraordinary loss claims: varies widely based on documentation

How to File Your 23andMe Settlement Claim

Step-by-Step Filing Process

Option 1: File Online (Recommended)

Visit the official settlement website: 23andMeDataSettlement.com
Click “File a Claim”
Enter your information from your breach notice
Select which claim types apply to you
Upload any supporting documentation (for extraordinary claims)
Submit by 11:59 PM Central Time on February 17, 2026

Option 2: File by Mail

Download claim form from 23andMeDataSettlement.com
Complete all required sections
Attach supporting documents if claiming extraordinary losses
Mail postmarked by February 17, 2026 to:

Kroll Settlement Administration LLC
Care of 23andMe
PO Box 22539
New York, NY 10150-5391

Important: Mail submissions must be postmarked by the deadline, not received by that date.

What Documentation Do You Need?

For All Claims:

Your 23andMe breach notification (check email or mail from late 2023/early 2024)
Your customer information

For Extraordinary Loss Claims:

Credit card or bank statements showing related expenses
Invoices or receipts for security systems, credit monitoring, or identity theft services
Mental health treatment bills and statements
Documentation linking expenses directly to the data breach

For Statutory Claims (AK, CA, IL, OR):

Proof of residency in those states between May-October 2023

What If You Never Got a Breach Notification?

How to Check If Your Data Was Compromised

Many affected customers never received 23andMe’s breach notification. Here’s how to find out if you’re eligible:

Check your email: Search for messages from 23andMe in October-December 2023
Look for mail: 23andMe sent physical letters to some customers
Use breach checking tools: Services like Malwarebytes’ Digital Footprint scan can check if your email appears in the breach
Contact the settlement administrator: Call 833-621-5792 or email [email protected]

If you were a customer during the breach window but never received notice, you may still qualify—contact the settlement administrator directly.

Understanding the Legal Claims: What 23andMe Did Wrong

The Lawsuit’s Core Allegations

The consolidated class action lawsuit accused 23andMe of:

Failing to protect sensitive genetic data with adequate security measures
Not requiring two-factor authentication until after the breach
Delayed breach notification — waiting weeks to inform customers
Blaming victims instead of taking responsibility
Targeting specific ethnic groups — not disclosing that Chinese and Ashkenazi Jewish customers were specifically targeted

What Makes This Case Special

Genetic testing companies are “treasure troves” of sensitive information and valuable targets for cybercriminals. The lawsuit argued 23andMe failed to implement cybersecurity standards appropriate to the sensitivity of genetic data.

A joint investigation by Canada’s Privacy Commissioner and the UK’s Information Commissioner’s Office found that 23andMe lacked appropriate safeguards and ignored warning signs. The UK fined 23andMe £2.31 million for the breach.

23andMe’s Bankruptcy: What It Means for Your Claim

The Company’s Financial Troubles

In March 2025, 23andMe filed for Chapter 11 bankruptcy protection, and in July 2025, a nonprofit led by former CEO Anne Wojcicki purchased the company for $305 million.

How Bankruptcy Affects Settlement Payments

The bankruptcy complicated the settlement—but actually resulted in a larger payout. The sale freed up additional assets, allowing 23andMe to increase the settlement from $30 million to $50 million.

What you need to know:

The settlement remains valid despite bankruptcy
Payments will come from the sale proceeds
23andMe’s attorneys say the company sale proceeds are the only source of monetary recovery for breach victims
You still need to file your claim by the deadline

Will the Settlement Be Enough?

The settlement amount represents essentially all 23andMe can afford—$25 million is expected to come from cyber insurance, with only $5 million from company assets. While $50 million sounds like a lot, divided among potentially millions of claimants, individual payments may be modest.

Comparing the 23andMe Breach to Other Data Breaches

How Does This Stack Up?

Company	Records Breached	Settlement Amount	Per Person
Equifax	147 million	$425 million	~$125
Capital One	100 million	$190 million	~$25-$400
T-Mobile	76.6 million	$350 million	~$25-$100
Yahoo	3 billion	$117.5 million	~$25-$358
23andMe	6.9 million	$50 million	$100-$10,265

What Makes Genetic Data Different

Unlike credit card numbers or addresses, genetic information is:

Permanent — You can’t change your DNA
Familial — Affects blood relatives too
Predictive — Reveals future health risks
Discriminatory potential — Could be used for targeting specific ethnic groups

This is why the 23andMe breach is considered especially serious, despite affecting fewer people than some other major breaches.

Your Rights and Next Steps

What You Can Do Right Now

✅ File your claim before February 17, 2026 at 23andMeDataSettlement.com

✅ Enroll in free credit monitoring offered through the settlement

✅ Change all passwords if you reused your 23andMe password elsewhere

✅ Enable two-factor authentication on all important accounts

✅ Monitor your credit reports for signs of identity theft

✅ Consider placing a fraud alert with credit bureaus

What About Your Genetic Data Now?

23andMe has stated that customers retain the ability to delete their account and all their data permanently. If you’re concerned about future misuse, you can:

Log into your 23andMe account
Request complete data deletion
Download your genetic data first if you want a personal copy

State-Specific Consumer Rights

Some states offer additional protections:

California: California Attorney General consumer protection resources

Illinois: Strong genetic privacy laws under the Genetic Information Privacy Act

Oregon & Alaska: Similar genetic privacy statutes

Check your state attorney general’s website for additional resources specific to data breach victims.

Frequently Asked Questions

Do I automatically get money, or do I have to file a claim?

You must file a claim. To receive settlement benefits, class members must submit a claim by the deadline. The money won’t come automatically.

What if I didn’t save my breach notification from 23andMe?

Contact the settlement administrator at 833-621-5792 or [email protected]. They can verify if you’re in the settlement class and help you file.

Can I opt out and sue 23andMe separately?

Yes, but you must submit an opt-out form by December 29, 2025. If you opt out, you can pursue your own lawsuit but won’t receive any settlement benefits. Most consumer attorneys recommend staying in the class action unless you have extraordinary damages.

How long until I receive payment?

The settlement administrator will distribute payments after the court grants final approval (scheduled for January 20, 2026), the bankruptcy is resolved, and any appeals are completed. Expect payments in mid-to-late 2026.

What if I used the DNA Relatives feature—does that affect my claim?

No. In fact, the DNA Relatives feature is how hackers accessed most victims’ data. If you used this feature, you’re more likely to have been affected.

Can I file if I’m a Canadian customer?

There’s a separate $3.25 million settlement for approximately 300,000 Canadian customers affected by the breach. Canadian residents should check with KND Complex Litigation for details on the Canadian settlement.

What if I had multiple family members affected?

Each affected person can file their own individual claim. Family members who were 23andMe customers during the breach period should each submit separate claim forms.

Will filing a claim trigger an IRS audit?

Settlement payments for physical injuries or emotional distress are generally not taxable. However, for amounts over $600, you may receive a 1099 form. Consult a tax professional about your specific situation.

What happens if I miss the filing deadline?

If you miss the February 17, 2026 deadline, you lose your right to any settlement benefits. There are no extensions, so don’t wait.

How do I prove identity theft happened because of the 23andMe breach?

This is challenging but important for extraordinary claims. Document everything:

Timeline showing theft occurred after the October 2023 breach
Police reports filed
Credit monitoring alerts
Fraudulent account statements
Written explanation connecting the theft to your 23andMe data

Is the settlement website legitimate?

Yes. The official website is 23andMeDataSettlement.com (note: no spaces, exact spelling). Beware of scam websites. Never provide payment or sensitive financial information to claim settlement money—legitimate settlements never require upfront payment.

Understanding Class Action Settlements: How They Work

What Is a Class Action Lawsuit?

A class action lawsuit allows a large group of people harmed in a similar way to join together in a single legal case. Instead of thousands of individual lawsuits, one case represents everyone affected.

Benefits of class actions for consumers:

Lower legal costs (split among many people)
Access to top attorneys (who work on contingency)
Faster resolution than individual cases
Accountability for large corporations

How Settlement Money Is Divided

From the $50 million settlement:

Legal fees: Plaintiffs’ attorneys will receive up to 25% of the settlement fund (around $12.5 million) plus up to $500,000 in expenses
Administrative costs: Settlement administration, notice, website, claims processing
Class representatives: Up to $1,000 each for 34 class representatives (total $34,000)
Remaining funds: Distributed to all valid claimants

After deductions, expect approximately $35-37 million available for claimant payments.

How to Protect Yourself Going Forward

Password Security Best Practices

The 23andMe breach happened because people reused passwords. Don’t let it happen to you:

✅ Use a unique password for every important account

✅ Make passwords at least 12-16 characters with mixed characters

✅ Use a password manager like 1Password, LastPass, or Bitwarden

✅ Enable two-factor authentication everywhere possible

✅ Never reuse passwords across multiple sites

Genetic Data Privacy Tips

If you use genetic testing services:

Read privacy policies carefully before submitting DNA
Understand how your data will be stored and shared
Opt out of research participation if you’re uncomfortable
Consider using a pseudonym when creating accounts
Limit what information you share in public profiles
Review privacy settings regularly

Credit Monitoring and Identity Theft Protection

Take these steps to monitor for identity theft:

Check credit reports regularly — Get free reports from all three bureaus at AnnualCreditReport.com
Set up fraud alerts — Contact one credit bureau to place alerts
Consider a credit freeze — Free and prevents new accounts from being opened
Monitor financial accounts — Check for unauthorized transactions weekly
Sign up for the free CyEx monitoring through the 23andMe settlement

What Experts Say About the 23andMe Breach

Legal Expert Perspectives

Consumer protection attorneys have noted this settlement represents one of the largest per-person payouts for a genetic data breach. However, attorneys acknowledge the settlement amount is limited by 23andMe’s financial constraints.

Cybersecurity Analysis

Security experts warn that genetic data represents a uniquely valuable target for criminals, with implications for insurance discrimination, targeted harassment, and even bioweapon development. The information stolen can’t be changed, making victims vulnerable indefinitely.

Privacy Advocacy

Privacy advocates emphasize that once genetic information is exposed, it cannot be changed or reissued—unlike a password or credit card number. This makes the 23andMe breach particularly damaging from a privacy standpoint.

Important Deadlines and Court Dates

Mark these dates on your calendar:

Date	Event
December 29, 2025	Deadline to opt out of settlement
January 20, 2026	Final approval hearing
February 17, 2026	FINAL DEADLINE TO FILE CLAIMS
Mid-to-Late 2026	Expected payment distribution (if approved)

Get Help Filing Your Claim

Official Resources

Settlement Website: 23andMeDataSettlement.com
Phone: 833-621-5792
Email: [email protected]

Settlement Administrator:
Kroll Settlement Administration LLC
Care of 23andMe
PO Box 22539
New York, NY 10150-5391

Government Resources

Federal Trade Commission (FTC):
IdentityTheft.gov — Report identity theft and get recovery plan
Consumer.ftc.gov/articles/data-breach-response — Steps to take after a data breach

State Attorney General Offices:
Most state AGs have consumer protection divisions that can help with data breach issues. Find yours at NAAG.org.

Legal Representation

The class action attorneys representing all claimants:

Keller Rohrback L.L.P.
Casey Gerry Schenk Francavilla Blatt & Penfield LLP
Stueve Siegel Hanson LLP
Paul, Weiss, Rifkind, Wharton & Garrison LLP

You don’t need to hire your own attorney to participate in the settlement. The class action lawyers work on contingency and their fees come from the settlement fund.

The Bottom Line: Don’t Leave Money on the Table

Nearly 7 million people were affected by the 23andMe data breach, but settlement administrators report that historically, 96% of settlement funds go unclaimed. Don’t be part of that statistic.

Your action plan:

File your claim now at 23andMeDataSettlement.com before the February 17, 2026 deadline
Gather your documentation if claiming extraordinary losses
Enroll in the free monitoring services provided through the settlement
Protect your data going forward with better password practices
Monitor your credit for signs of identity theft

The genetic information stolen in this breach can never be changed. While no settlement can undo the privacy violation, claiming your share of this settlement is your right—and it may help cover costs you’ve already incurred.

Don’t wait until the deadline passes. File your claim today.

Disclaimer: This article provides general information about the 23andMe data breach settlement and should not be considered legal advice. For specific questions about your eligibility or claim, contact the settlement administrator or consult with a qualified attorney. Settlement terms and deadlines are subject to court approval and may change.

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah