23andMe Pays $47 Million to Resolve Genetic Data Breach Affecting 6.9 Million Customers
Won by CaseyGerry.
Gayle Blatt of CaseyGerry served as court-appointed co-lead counsel in a multidistrict proceeding against 23andMe, securing a $46.75 million settlement for approximately 6.9 million customers whose genetic ancestry profiles and personal data were stolen in a 2023 credential-stuffing attack.
What happened
Starting around April 2023, attackers used lists of previously exposed usernames and passwords to break into 23andMe accounts through credential stuffing, a technique that exploits people who reuse passwords across different sites. The intrusion went undetected for roughly five months. By the time 23andMe disclosed the breach on October 6, 2023, hackers had accessed DNA Relatives profile data for approximately 5.5 million customers and Family Tree information for an additional 1.4 million, bringing the total to nearly 6.9 million affected accounts.
What made the breach unusually sensitive was the nature of the stolen data. Exposed records included names, dates of birth, geographic locations, family tree details, and genetic information such as maternal and paternal haplogroup results. Some of that data was later offered for sale on the dark web, with subsets targeting specific ethnic communities. Investigators later found that 23andMe had failed to employ basic safeguards against credential stuffing, including password blocklist comparisons, multifactor authentication requirements, and appropriate rate limiting on login attempts.
Plaintiffs' attorneys filed actions across the country, and the Judicial Panel on Multidistrict Litigation consolidated the cases before Judge Edward M. Chen in the Northern District of California as MDL 3:24-md-03098. On June 5, 2024, Judge Chen appointed Gayle M. Blatt of CaseyGerry, Cari Campen Laufenberg of Keller Rohrback, and Norman E. Siegel of Stueve Siegel Hanson to serve as interim co-lead class counsel.
23andMe filed for Chapter 11 bankruptcy in March 2025, complicating the litigation. The case shifted to coordination with the U.S. Bankruptcy Court for the Eastern District of Missouri, where the company's plan administration trust managed the settlement fund. The original class action settlement, preliminarily approved by Judge Chen in December 2024, had grown through negotiations to a maximum of $50 million. After accounting for bankruptcy-related reductions, the final distribution approved by the bankruptcy court on July 6 or 7, 2026 totaled $46.75 million for U.S. data breach claimants, with a separate $3.25 million for Canadian class members.
Over 255,860 claims were resolved as of the time of the distribution order, with individual payouts ranging from $50 up to $10,000 for extraordinary harm claims. Final approval of the underlying class action settlement had been granted on January 30, 2026. The settlement represents one of the largest data breach resolutions involving consumer genetic information in U.S. history.
Sources
This account is drawn from contemporaneous public reporting and the court record.
- 1.Bloomberg Law (June 2026) -- confirms CaseyGerry Trial Lawyers as part of US data breach class representation team; reports $46.7 million distribution amount and 255,860-plus resolved claims
- 2.Law360 (July 2026, staffed legal trade press) -- names Casey Gerry among plaintiff firms; reports bankruptcy court approval of $46.7 million settlement on July 7, 2026
- 3.Insurance Journal (June 2026, editorial) -- reports $46.75 million settlement, 6.9 million affected customers, credential-stuffing attack timeline, and insurance funding details