A summary of mainstream reporting, plus the facts and perspectives it leaves out. A more honest account of each story.
Back to all stories

23andMe breach hits 92,000 Minnesotans; state wins payout

Minnesota will receive $514,871 from consumer genetics firm 23andMe as part of an $18 million multistate recovery tied to the company's bankruptcy over a 2023 data breach.[1]

The payout is Minnesota's share of the larger recovery that resolves state claims against 23andMe's estate, officials said.[1] The 2023 breach exposed genetic and ancestry data for about 6.9 million customers worldwide, including 92,385 Minnesotans.[1] Attorneys general found 23andMe failed to implement basic safeguards like multifactor authentication and protections against credential-stuffing, and they said the company did not promptly detect the intrusion.[1]

In October 2023, 23andMe disclosed that hackers used credential-stuffing attacks between April and September 2023 to access roughly 14,000 accounts and scrape DNA Relatives profiles.[1] The company initially blamed reused passwords and did not require multifactor authentication for users, prompting class-action lawsuits and a joint state investigation.[1] 23andMe filed for Chapter 11 in March 2025, and states later filed claims against the estate that fed into the $18 million multistate recovery.[1]

The company also agreed to a separate $47 million consumer class-action settlement tied to the same breach.[1] As of February 2024, 23andMe had genotyped more than 14 million people, meaning the breach affected roughly half its customer base at the time.

The mainstream summary does not mention the significant implications of the breach on 23andMe's business model and financial health. A 2025 study highlights that the breach was exacerbated by the company's DNA Relatives feature, which allowed a single compromised account to jeopardize the data of millions of connected profiles, a detail that underscores the systemic vulnerabilities in their security architecture. This lack of multi-factor authentication and failure to detect rapid login attempts were critical factors in the breach's success, as noted in a 2025 arXiv paper by R. Holthouse et al. The summary also overlooks the broader context of 23andMe's financial distress, with a 2025 PMC article by J.E. LoTempio Jr. et al. linking the company's Chapter 11 filing to reputational damage, increased litigation costs, and market pressures stemming from the breach, which collectively diminished consumer trust and enthusiasm for their services.

While the mainstream account focuses on the immediate financial recovery for Minnesota, it does not address the long-term ramifications for 23andMe or the direct-to-consumer genetic testing industry as a whole. The breach not only affected approximately 6.9 million customers but also raised critical questions about the viability of such companies in light of increasing data breach liabilities and consumer privacy concerns.

  1. FOX 9
Technology Legal Business & Economy
Show source details & analysis (1 source)

📊 Relevant Data

As of February 2024, 23andMe had genotyped more than 14 million individuals, with the 2023 breach affecting approximately 6.9 million (roughly half of its customer base at the time) who had enabled the DNA Relatives feature.

23andMe — Wikipedia (citing company data)

📌 Key Facts

  • Minnesota will receive $514,871 from 23andMe as part of an $18 million multistate recovery in bankruptcy.
  • The 2023 breach exposed genetic and ancestry data of 6.9 million customers worldwide, including 92,385 Minnesotans.
  • AGs found 23andMe failed to implement reasonable security, including MFA and protections against credential‑stuffing, and did not promptly detect the breach.
  • 23andMe has also agreed to a separate $47 million consumer class‑action settlement tied to the same breach.

📰 Source Timeline (1)

Follow how coverage of this story developed over time

July 15, 2026