The primary deadline to file a claim in the 23andMe data breach settlement was February 17, 2026. If you missed that date, you may still have one more window: class members who first received notice on January 5, 2026 have until March 1, 2026 to submit their claim. The settlement covers approximately 6.4 million U.S.
Residents whose personal information was exposed in a 2023 credential stuffing cyberattack, and the total fund is $30 million. Depending on what kind of data was exposed and where you live, eligible claimants could receive anywhere from free credit monitoring services to up to $10,000 in reimbursement for documented losses. Even if the February 17 deadline has passed for most claimants, understanding the full picture of this settlement helps you assess whether the March 1 extension applies to you and what comes next.
Table of Contents
- What Was the 23andMe Data Breach and Who Does the Settlement Cover?
- How Much Could You Receive — and What Are the Compensation Tiers?
- The Free Monitoring Option — Available to All Affected Members
- Filing Your Claim — Steps and What to Have Ready
- Payment Timing — Why You Should Expect a Long Wait
- The Bankruptcy Complication and What It Means for the Settlement Fund
- What Comes Next and How This Settlement Fits the Broader Landscape
- Frequently Asked Questions
What Was the 23andMe Data Breach and Who Does the Settlement Cover?
On October 6, 2023, 23andme publicly disclosed that it had suffered a cyberattack. The method was credential stuffing — attackers used username and password combinations stolen from unrelated data breaches on other websites to gain access to 23andMe accounts where users had reused those credentials. This is a common and particularly damaging attack vector because it requires no sophisticated hacking of 23andMe’s systems directly; it exploits users’ own password reuse habits. The breach affected approximately 6.4 million U.S. residents. For most victims, the exposure included profile data such as names, birth years, and ancestry percentages.
However, a subset of those affected had something far more sensitive compromised: health and genetic information. If 23andMe sent you a direct notification stating that your health data was involved, you fall into a higher-priority compensation tier. Contrast that with someone whose account was accessed but whose data exposure was limited to display names and broad geographic ancestry — both are covered by the settlement, but the compensation amounts differ substantially. A separate settlement was also approved for Canadian residents, handled through its own process. This article focuses exclusively on the U.S. settlement administered through 23andMeDataSettlement.com.
How Much Could You Receive — and What Are the Compensation Tiers?
The settlement establishes several distinct compensation tiers based on the type of harm suffered and the state you live in. At the top end, claimants with documented extraordinary losses — meaning actual out-of-pocket expenses caused by the breach — can seek reimbursement of up to $10,000. These are cases where someone experienced identity theft, paid for fraud remediation services, lost wages because of time spent dealing with the breach, or incurred costs for counseling related to the exposure of sensitive genetic information. This tier requires receipts and supporting documentation. Filing a $10,000 claim without paperwork will not result in a $10,000 payout.
One tier down, if 23andMe specifically notified you that your health or genetic information was compromised, you may be eligible for a cash payment of approximately $165. The “approximately” qualifier is intentional: the actual payment amount depends on how many valid claims are submitted in this category and how the $30 million fund is allocated after fees and administrative costs. If the extraordinary loss claims are high and the fund is stretched, the per-person cash amounts for lower tiers could decrease. For residents of Alaska, California, Illinois, or Oregon, a statutory claim of roughly $100 is available with no documentation required — just proof of residence in one of those states at the time of the breach. This option exists because those states have data privacy laws that create automatic statutory damages, meaning residents don’t need to show actual harm to recover something. If you live in any other state, you cannot access this tier, regardless of how serious your concerns are about the breach.
The Free Monitoring Option — Available to All Affected Members
Every class member who did not opt out of the settlement is eligible for five years of Privacy & Medical Shield plus genetic monitoring services through a company called Cyberscout. The stated retail value of this package is approximately $1,875 over the five-year term. For many people whose exposure was limited to basic profile data and who have no documented financial losses from the breach, this may be the most accessible and straightforward benefit available. The practical value of genetic monitoring is worth understanding.
Unlike standard credit monitoring, which tracks new lines of credit opened in your name, genetic monitoring is designed to watch for misuse of DNA and health profile data on platforms, dark web marketplaces, and other venues where such information might surface. Given that 23andMe’s breach exposed information that could be used to discriminate in insurance or employment contexts — scenarios that standard credit monitoring would never catch — this type of monitoring is more tailored to the actual risk profile of this particular breach. To be clear, claiming the monitoring service does not prevent you from also filing for a cash payment if you qualify for one. These benefits are not mutually exclusive. However, you do need to file a claim to receive the monitoring — it is not automatically applied to affected accounts.
Filing Your Claim — Steps and What to Have Ready
All claims must be submitted through the official settlement website at 23andMeDataSettlement.com. The site allows both online filing and submission by mail. Online claims must be submitted by the applicable deadline; paper claims must be postmarked by the deadline. For most class members, that deadline was February 17, 2026 at 11:59 p.m. Central Time. As of today, February 21, 2026, that date has passed. If you received your first notice of the settlement on January 5, 2026, you may still be within the extended March 1, 2026 deadline — check the notice you received for clarification. When filing, you will need your Claim ID and PIN from the notice you received, or you can look up your eligibility on the settlement site using your email address.
The type of claim you select determines what additional information you need to provide. For the free monitoring service, very little documentation is required. For cash claims at the statutory level, you will need to confirm your state of residence. For extraordinary loss claims, gather everything: credit card statements, receipts for fraud resolution services, any police reports filed, documentation of time lost from work, and any medical or counseling bills tied specifically to distress from the genetic data exposure. A practical warning: do not overstate your losses or submit fabricated documentation. Settlement claims are reviewed, and fraudulent submissions can result in disqualification and, in serious cases, legal consequences. If your documented losses are legitimately $600, file for $600 with real receipts — do not pad the claim hoping the administrator won’t notice. The administrators have seen every variation of claim abuse and have processes to flag outliers.
Payment Timing — Why You Should Expect a Long Wait
The settlement administrator has been explicit on this point: payments will not be distributed until bankruptcy reconciliation and appeals are fully resolved, and that process “is likely to take considerable time.” This is not boilerplate hedging — it reflects a genuine and complicated legal situation. 23andMe filed for Chapter 11 bankruptcy on March 23, 2025. During its bankruptcy proceedings, the company was sold to TTAM Research Institute, an entity led by former CEO Anne Wojcicki, and subsequently rebranded as ChromeCo, Inc. as of July 14, 2025. Bankruptcy sales and reorganizations layer on legal complexity that can extend settlement timelines significantly.
Creditors, the bankruptcy court, and the class action settlement process all have to coordinate before funds are disbursed. In practical terms, claimants should not plan around receiving a payment in 2026. It may be 2027 or later before any cash reaches class members. This timeline reality matters for how you think about your options. If you have urgent financial needs tied to the breach — identity theft remediation costs, for example — waiting for this settlement is not a substitute for taking immediate protective steps on your own, such as placing credit freezes, disputing fraudulent accounts, or working directly with financial institutions.
The Bankruptcy Complication and What It Means for the Settlement Fund
The $30 million figure cited across most reporting represents the size of the settlement fund agreed to before and alongside the bankruptcy proceedings. Some early reports cited a figure as high as $50 million depending on the ultimate volume and nature of claims filed, though $30 million is the figure consistently referenced in court documents and official settlement communications. In a Chapter 11 bankruptcy, the settlement fund is treated as a liability of the estate, which means its distribution is subject to the bankruptcy court’s oversight and approval processes.
The court must confirm that the class action settlement does not unfairly disadvantage other creditors. This is why the settlement administrator cannot simply issue checks after the claim filing deadline closes — the legal architecture around the company’s insolvency has to fully play out first. For reference, high-profile data breach settlements in bankruptcy contexts have in some cases taken two to three years post-filing before claimants saw payments.
What Comes Next and How This Settlement Fits the Broader Landscape
The 23andMe settlement is notable for involving genetic and health data — a category of personal information that raises distinct concerns beyond the typical credit monitoring response. As genetic testing services grow in popularity and data brokers accumulate ever more sensitive personal profiles, this case signals that courts and regulators are beginning to assign meaningful dollar values to the exposure of biological and medical information, not just financial records. For consumers, the practical lesson extends beyond this one settlement.
The credential stuffing method that enabled the 23andMe breach remains one of the most common attack vectors across all digital platforms. Using unique passwords for each account and enabling two-factor authentication are the most direct defenses. If you have accounts at other genetic testing platforms — Ancestry, MyHeritage, AncestryDNA — reviewing your security settings there is a reasonable step regardless of whether you were affected by this particular breach.
Frequently Asked Questions
The February 17 deadline passed — can I still file?
Possibly. If you received your first notice of the settlement on January 5, 2026, an extended deadline of March 1, 2026 applies to you. Check the notice you received for your specific deadline, or contact the settlement administrator through 23andMeDataSettlement.com.
How do I know if my health or genetic data was specifically compromised?
23andMe sent direct notifications to users whose health or genetic information was exposed, separate from the general breach announcement. If you received such a notification, you qualify for the higher ~$165 health information tier. If you are unsure, log in to your 23andMe account (or former account) and review any notifications, or check the settlement website using your email address.
I live in Texas — can I still get a cash payment?
Not through the statutory tier, which is limited to residents of Alaska, California, Illinois, and Oregon. However, if you have documented out-of-pocket losses from the breach, you can still file an extraordinary loss claim for reimbursement up to $10,000 regardless of which state you live in.
Will 23andMe still exist when payments are distributed?
The company underwent bankruptcy and was sold, then rebranded as ChromeCo, Inc. as of July 14, 2025. The settlement fund is administered separately through the bankruptcy court process, so the company’s rebrand does not eliminate the settlement — but the bankruptcy complicates and extends the timeline for distribution.
Is the free monitoring worth claiming even if I don’t want a cash payment?
Yes, if you were affected by the breach. Five years of Privacy & Medical Shield plus genetic monitoring through Cyberscout, valued at approximately $1,875, is available at no cost to eligible class members. Given the nature of what was exposed — including genetic and health data — this type of specialized monitoring is more relevant than standard credit monitoring for this particular breach.
What if I opted out of the settlement?
If you opted out, you are not bound by the settlement and retain the right to sue 23andMe (now ChromeCo) individually. However, pursuing individual litigation against a company in bankruptcy is a complex undertaking with uncertain recovery prospects, and you would not be eligible for any of the settlement benefits described here.
Check the 23andMe settlement deadline on OpenClassActions.com.