If you were a 23andMe customer between May 1, 2023 and October 1, 2023, and the company notified you that your personal information was compromised in its massive data breach, you likely qualify for a payment from the now-approved $30 million settlement fund. Payments range from around $100 to $165 depending on the type of data exposed and your state of residence, with up to $10,000 available for those who suffered documented out-of-pocket losses like identity fraud or unauthorized charges. The claim deadline is February 17, 2026, and claims must be filed through the official settlement website at 23andmedatasettlement.com. This settlement has had a complicated path to approval. 23andMe filed for bankruptcy in March 2025, its assets were sold to a new entity called TTAM Research Institute, and the company was renamed Chrome Holding Co.
The settlement fund was originally $30 million but a revised proposal of $50 million was put forward during the bankruptcy proceedings. U.S. Bankruptcy Judge Brian C. Walsh granted final approval on January 20, 2026.
Table of Contents
- What Was the 23andMe Data Breach and Who Is Eligible for the Settlement?
- How Much Money Can You Get from the 23andMe Settlement?
- The Bankruptcy Twist and What It Means for Your Claim
- How to File Your 23andMe Settlement Claim Before the Deadline
- Why Genetic Data Breaches Are Different from Typical Data Breaches
- What Happens If You Miss the February 17 Deadline
- The Bigger Picture for Consumer Genetic Privacy
- Frequently Asked Questions
What Was the 23andMe Data Breach and Who Is Eligible for the Settlement?
In October 2023, 23andMe disclosed that hackers had used a technique called credential stuffing to break into approximately 14,000 user accounts. Credential stuffing is not a sophisticated hack — attackers simply took usernames and passwords stolen from other, unrelated data breaches and tried them on 23andMe accounts, banking on the fact that many people reuse their login credentials across multiple services. For those 14,000 directly compromised accounts, the attackers gained access to personal data including names, birth years, and ancestry results. But the real damage came from 23andMe’s DNA Relatives feature. This opt-in tool allowed users to share genetic match data with other users in the system. Because of this interconnected sharing, the breach cascaded far beyond the original 14,000 accounts and exposed personal information on roughly 6.9 million U.S.
Users. An additional 1.4 million DNA Relatives participants had their family tree information exposed. For some users, the compromised data included health-related genetic information, which carries its own set of risks and legal implications. To qualify for the settlement, you must be a U.S. resident who was a 23andMe customer during the May 1 to October 1, 2023 window and who received a notification from the company that your data was compromised. If you deleted your account before the breach but your data was still in the system during that period, you may still be eligible — check whether you received a breach notification email from 23andMe or the settlement administrator, Kroll.
How Much Money Can You Get from the 23andMe Settlement?
The payment structure has several tiers, and the amount you receive depends on what type of data was exposed and where you live. If you were notified that your health or genetic information was specifically compromised in the breach, you can receive up to $165. This is the highest base payment tier and reflects the sensitive nature of health-related genetic data, which cannot be changed like a password or credit card number. Residents of Alaska, California, Illinois, or Oregon qualify for an additional statutory payment estimated at approximately $100 per person. These states have genetic privacy laws that provide extra legal protections for biometric and genetic data, and the settlement accounts for those state-specific claims.
So a California resident whose health data was compromised could potentially receive both the $165 health data payment and the $100 statutory payment. However, if you live outside these four states and your breach notification only referenced non-health personal information like your name and ancestry results, your payment will be lower. For claimants who suffered real financial harm as a direct result of the breach, there is a separate category for extraordinary out-of-pocket losses of up to $10,000 per person. This covers documented, unreimbursed costs such as expenses from identity fraud, tax fraud, purchases of credit monitoring or security services, and even mental health treatment related to the breach. The total pool for these claims is capped at $8.3 million, so if a large number of people file substantial loss claims, individual payouts could be reduced proportionally. You will need receipts, statements, or other documentation to support these claims.
The Bankruptcy Twist and What It Means for Your Claim
The 23andMe settlement did not follow a typical path. On March 23, 2025, the company filed for bankruptcy in the Eastern District of Missouri, raising immediate concerns among claimants about whether the settlement would survive. In many bankruptcy cases, consumer settlements get significantly reduced or eliminated entirely as secured creditors take priority. The fact that this settlement was preserved — and even proposed for an increase to $50 million — is notable. The company’s assets were sold to TTAM Research Institute in a deal that closed on July 14, 2025, and 23andMe was subsequently renamed Chrome Holding Co., also referred to as ChromeCo, Inc. The settlement is now administered by Kroll under the Chrome Holding Co.
Restructuring framework. For claimants, the practical impact is minimal — you still file through 23andmedatasettlement.com, and the approved $30 million fund remains intact. But the bankruptcy context does mean that payment timelines may be slower than a typical class action settlement, as distributions must work through the bankruptcy court’s processes. One important detail: the bankruptcy filing does not change your eligibility or the claim deadline. Judge Walsh’s January 20, 2026 approval order set the terms, and the February 17, 2026 deadline is firm. If you have been waiting to see whether the settlement would actually be approved before filing, that question is now resolved — but you are essentially out of time.
How to File Your 23andMe Settlement Claim Before the Deadline
Filing a claim is done through the official website at 23andmedatasettlement.com. You will need the notice ID or confirmation number from the breach notification you received from 23andMe or Kroll. If you cannot locate your original notification, the settlement website has tools to look up your eligibility using the email address associated with your 23andMe account. The basic claim for a standard payment is straightforward — verify your identity, confirm your eligibility, and select the payment category that applies to you. If you are filing for the state statutory payment in Alaska, California, Illinois, or Oregon, you will need to confirm your state of residence.
For the extraordinary out-of-pocket loss claims up to $10,000, the process is more involved. You must itemize your losses and upload supporting documentation such as bank statements showing fraudulent charges, receipts for credit monitoring services you purchased, or records of mental health treatment sought because of the breach. Claims without documentation will almost certainly be denied or reduced, so gather your records before starting. In addition to cash payments, all eligible claimants receive five years of Privacy and Medical Shield plus Genetic Monitoring services from CyEx at no cost. Given that genetic data cannot be changed — unlike a compromised password or even a Social Security number — this ongoing monitoring component may be the most practically valuable part of the settlement for many claimants. If someone misuses your genetic information years from now, this monitoring is designed to flag that activity.
Why Genetic Data Breaches Are Different from Typical Data Breaches
Most data breach settlements involve compromised emails, passwords, Social Security numbers, or financial account data. These are serious, but they share one common trait: the compromised information can be changed. You can get a new credit card, freeze your credit, change your passwords, and in extreme cases even get a new Social Security number. Genetic data does not work that way. Your DNA is permanent, and once it is exposed, there is no way to reset or replace it.
This is why the settlement includes a separate, higher payment tier for users whose health-related genetic information was compromised, and why states like Illinois — which has one of the country’s strictest biometric privacy laws, the Biometric Information Privacy Act — provide additional statutory protections. The long-term risks of genetic data exposure are still not fully understood. Potential concerns include discrimination by insurers or employers based on genetic predispositions, targeted scams using detailed ancestry information, and misuse of family relationship data that could affect not just the account holder but their relatives who never signed up for 23andMe at all. One limitation to be aware of: the settlement’s monitoring services cover certain types of misuse, but they cannot prevent all forms of genetic data exploitation. If a bad actor uses your ancestry information for social engineering or targets a family member identified through the DNA Relatives feature, that may not trigger a monitoring alert. The settlement provides a financial remedy and monitoring tools, but it does not and cannot undo the exposure itself.
What Happens If You Miss the February 17 Deadline
If you miss the claim deadline, you forfeit your right to a cash payment from the settlement fund. There is no extension mechanism built into the court’s approval order, and given that the settlement is being administered through bankruptcy proceedings, the likelihood of the court granting individual late-filing exceptions is extremely low. Bankruptcy courts operate on strict timelines because distributions must be coordinated across multiple creditor classes.
However, missing the cash payment deadline does not necessarily mean you lose all recourse. You should still check whether you are eligible for the free monitoring services, as enrollment windows for those benefits sometimes extend beyond the cash claim deadline. Contact the settlement administrator through 23andmedatasettlement.com or the Kroll restructuring portal for the most current information on monitoring enrollment.
The Bigger Picture for Consumer Genetic Privacy
The 23andMe breach and subsequent bankruptcy have become a watershed moment for the consumer genetics industry. The fact that a single credential stuffing attack — one of the most preventable forms of cyberattack — could cascade through a DNA sharing feature to expose nearly 7 million users’ genetic data has prompted renewed legislative interest in genetic privacy protections at both the state and federal level.
For consumers who use or are considering genetic testing services, this case is a stark reminder to use unique passwords for every service, enable two-factor authentication wherever it is offered, and carefully evaluate what data-sharing features you opt into. The DNA Relatives feature that amplified this breach was optional, and many users who were affected were exposed not because their own accounts were compromised, but because someone they were genetically matched with had poor password hygiene. Going forward, expect tighter regulatory scrutiny of how genetic testing companies store, share, and protect consumer data — and more settlements like this one when they fail.
Frequently Asked Questions
How do I know if I qualify for the 23andMe data breach settlement?
You qualify if you were a U.S. resident who was a 23andMe customer between May 1, 2023 and October 1, 2023, and you received a breach notification from the company. If you are unsure whether you received one, check the email associated with your 23andMe account or use the lookup tool on 23andmedatasettlement.com.
What is the deadline to file a claim?
The claim deadline is February 17, 2026. Claims must be submitted through the official settlement website at 23andmedatasettlement.com before that date.
How much will I receive from the settlement?
It depends on your situation. If your health or genetic data was compromised, you can receive up to $165. Residents of Alaska, California, Illinois, or Oregon may receive an additional estimated $100 in statutory payments. If you suffered documented out-of-pocket losses from identity fraud or related harms, you can claim up to $10,000.
Does 23andMe’s bankruptcy affect my settlement payment?
The settlement was approved by the bankruptcy court on January 20, 2026, so it will be paid out. However, payments may take longer than a typical class action settlement because they must be processed through the bankruptcy court’s distribution procedures.
What kind of monitoring is included in the settlement?
All eligible claimants receive five years of Privacy and Medical Shield plus Genetic Monitoring from CyEx at no charge. This service monitors for potential misuse of your genetic and personal information.
I was not a direct breach victim but my data was exposed through the DNA Relatives feature. Do I still qualify?
Yes. The settlement covers all users whose data was compromised, including the millions of users whose information was exposed through the DNA Relatives feature, not just the approximately 14,000 accounts that were directly accessed by the attackers.