23andMe announced the data breach last October, but it didn’t confirm the overall impact until December. Customers using the DNA Relatives feature may have had information such as names, birth years, and ancestry information exposed through the breach. At the time, 23andMe linked the hack to credential stuffing, a tactic that involves logging into accounts using recycled logins that have been exposed in previous security breaches.
The breach dealt a major blow to the already struggling company. As 23andMe’s stock price continues to soar, 23andMe CEO Anne Wojcicki tried to take the company private earlier this year, but a special committee rejected the offer last month. The settlement cited concerns surrounding the company’s finances, saying, “Any litigated judgment greater than the Settlement is unlikely to be collected.” In a statement to The Verge23andMe spokeswoman Katie Watson said the company expects cyber insurance to cover $25 million of the settlement:
We have entered into a settlement agreement for an aggregate cash payment of $30 million to settle all claims in the US related to the credential stuffing security incident in 2023. Counsel for the plaintiffs filed a motion for the court’s preliminary approval of this settlement agreement. About $25 million of the settlement and related legal costs are expected to be covered by cyber insurance coverage. We continue to believe that this settlement is in the best interests of 23andMe’s customers, and we look forward to finalizing the settlement.
The proposed settlement still needs approval from the judge.
