A coalition of 43 U.S. state attorneys general announced on July 16, 2026 that 23andMe — now operating as Chrome Holding Co. following its March 2025 bankruptcy and acquisition — agreed to pay $18 million to settle a multistate investigation into how the company handled the genetic data breach that exposed information on 6.9 million customers.
The $18M Settlement: Third Major Legal Outcome for the Same Breach
The multistate AG settlement is the third distinct major legal action to reach a financial outcome from a single breach event. A class action settlement with affected customers totaled $30 million. The UK Information Commissioner’s Office imposed a £2.31 million fine. The July 16, 2026 multistate AG settlement adds $18 million — bringing confirmed total legal liability from three separate enforcement actions to more than $50 million in U.S. dollar equivalent.
Investigators found that Chrome Holding Co. “lacked basic safeguards against credential-based cyberattacks, such as password blocklisting or multifactor authentication” at the time of the breach, and failed to address suspicious login activity or known vulnerabilities that contributed to the breach’s scale.
How Attackers Used the DNA Relatives Feature to Amplify a Credential-Stuffing Campaign
Between April and September 2023, attackers conducted credential-stuffing attacks against 23andMe user accounts, using previously compromised credentials from other breaches to access accounts whose owners had reused passwords. Once inside individual accounts, attackers exploited the company’s DNA Relatives feature, which allows users to share genetic ancestry information with matched biological relatives.
By accessing accounts that had opted into DNA Relatives, attackers aggregated genetic and ancestry data across a far larger population than the accounts they directly compromised. The final scope of the breach reached 6.9 million customers — among the largest genetic data breaches on record. Stolen data was subsequently offered for sale on hacking forums. The use of a social-sharing feature designed to connect relatives as an amplification mechanism distinguished the incident from a standard account compromise: one opted-in account provided a pathway to data from that account’s biological relatives without requiring direct compromise of those relatives’ accounts.
Liability Follows Data Through Bankruptcy: The Chrome Holding Co. Precedent
The settlement targets Chrome Holding Co. — the entity that acquired 23andMe’s assets through the March 2025 bankruptcy proceeding — rather than the pre-bankruptcy 23andMe corporation. This establishes a documented precedent that data breach liability follows acquired data assets through corporate restructuring.
For acquirers in future distressed-company transactions involving large consumer data repositories, the Chrome Holding Co. settlement signals that purchasing data assets from a bankrupt entity does not extinguish pre-existing liability for how those assets were handled prior to acquisition. The inherited liability obligation attaches to the data — including 23andMe’s genetic records for approximately 15 million customers — rather than terminating with the dissolved predecessor corporation.
The Multi-Year, Multi-Jurisdiction Enforcement Trajectory for Large Breach Events
The 23andMe penalty trajectory illustrates the compounding enforcement exposure that can follow a major consumer data breach across jurisdictions and legal theories simultaneously. Each enforcement action — state AG coalition, class action tort, foreign data protection authority — proceeds on its own timeline under its own legal authority, producing sequential financial consequences across multiple years rather than a single resolved outcome.
The AGs’ finding that Chrome Holding Co. lacked basic credential attack safeguards — specifically password blocklisting and multifactor authentication — mirrors a pattern in data protection enforcement where the absence of widely available baseline controls functions as an aggravating factor rather than simple negligence. Enforcers at the state level have increasingly applied consumer protection statutes to data security failures, treating the absence of standard credential-attack defenses as a violation of consumer protection standards rather than merely a cybersecurity shortcoming.
Genetic data carries heightened sensitivity because DNA records are immutable — unlike passwords or credit card numbers, which can be reset or reissued, genetic information cannot be changed after exposure. The 23andMe breach exposed data that identifies not only the individual customer who purchased the test but also their biological relatives who never purchased any product or consented to share their genetic information. Three major legal consequences for a single breach, reaching their third financial outcome years after the incident, reflect the sustained enforcement tail that attaches to breaches of irreplaceable, inherently identifying personal data.