Georgia – The most sensitive information stolen from 23andMe customers could not simply be replaced with a new password. The 2023 breach exposed genetic ancestry details and other personal data tied to 6.9 million people worldwide, with portions later advertised for sale on the dark web.
Now, nearly three years after the intrusion became public, Georgia is set to receive $452,232 through a multistate settlement shaped as much by 23andMe’s bankruptcy as by the scale of the breach.
Georgia Attorney General Chris Carr announced that his office joined attorneys general from 40 other states and the District of Columbia in reaching an agreement with the company’s bankruptcy trustee. The settlement resolves allegations that 23andMe failed to use reasonable security measures before the breach and responded inadequately after customer information was compromised.
The states were granted $150 million in allowed bankruptcy claims. However, 23andMe’s remaining estate has limited funds and faces numerous competing claims. As a result, the states will recover $18 million, which will be distributed immediately from available bankruptcy funds.
Georgia’s share reflects the impact on residents. According to the attorney general’s office, 171,125 customers in the state were among the 6.9 million consumers affected.
A separate $46.75 million class-action settlement was also approved through the bankruptcy proceedings. That agreement is intended to provide relief to affected U.S. customers who submitted claims by Feb. 17, 2026.
23andMe first disclosed the breach in October 2023. The incident involved credential stuffing, a method in which attackers use usernames and passwords exposed in earlier breaches to attempt access to accounts on other services. Once inside certain accounts, the attackers were able to reach information connected through 23andMe’s sharing features.
The multistate investigation concluded that the company had failed to put several basic protections in place. Investigators said 23andMe did not adequately compare passwords with lists of previously compromised credentials or require multifactor authentication. The company was also accused of lacking effective rate limits, intrusion prevention systems, logging and monitoring tools, and sufficient procedures for investigating unusual login activity.
Among the warning signs, according to the states, was a major increase in login attempts. Investigators also alleged that 23andMe failed to correct known vulnerabilities and did not properly test certain design features.
Read also: Two public meetings open debate over North Point’s potential transformation
The attorneys general further criticized the company’s initial response. 23andMe learned of the breach months after some affected information had already become publicly available. It initially denied that a breach had occurred and later placed responsibility on customers’ account settings and password practices.
The states argued that position was especially troubling because 23andMe had partnered with MyHeritage, a company that had previously experienced a breach involving credentials used across websites.
The legal path changed in March 2025, when 23andMe sought bankruptcy protection. States then filed claims connected to their investigation, while the company’s assets — including its large collection of consumer data, were placed up for sale.
Those assets were purchased by TTAM Research Institute, a nonprofit created by 23andMe founder and former CEO Anne Wojcicki. The organization has since been reregistered as the 23andMe Research Institute.
The sale came with privacy and security conditions intended to provide stronger protection for the genetic information transferred to the new owner. Requirements include enhanced cybersecurity measures, formal risk analysis, the creation of an advisory board and compliance with comprehensive privacy laws without exceptions. Consumers must also continue to have the right to request deletion of their information.
Customers who want to remove their genetic data can sign in at 23andMe.com, open their profile settings and find the “23andMe Data” section. They may request a download before selecting “Permanently Delete Data.” The process is not complete until the customer opens the confirmation email and selects “Permanently Delete All Records.”
The settlement closes the states’ breach claims, but its broader message reaches beyond the bankruptcy case: companies entrusted with genetic information are expected to protect it as data that cannot be reset, reissued or taken back once exposed.