23andMe disclosed the data breach last October but did not confirm the full impact until December. Customers using the DNA Relatives feature may have information such as names, birth years, and ancestry information exposed by the leak. At the time, 23andMe attributed the hack to credential stuffing, a tactic that involves using recycled login information exposed in previous security breaches to log into accounts.
The breach dealt a heavy blow to the already troubled company. As 23andMe’s stock price continued to fall, 23andMe CEO Anne Wojcicki attempted to take the company private earlier this year, but a special committee rejected the proposal last month. The settlement cited concerns about the company’s finances and said “any litigation judgment that significantly exceeds the settlement agreement may be irrecoverable.” in a statement edge23andMe spokesperson Katie Watson said the company expects cyber insurance to pay out the $25 million settlement:
We have entered into a settlement agreement totaling $30 million in cash to resolve all U.S. claims related to the 2023 credential stuffing security incident. Lawyers for the plaintiffs have filed a motion with the court seeking preliminary approval of the settlement. Cyber insurance is expected to cover approximately $25 million in settlement costs and related legal fees. We continue to believe this settlement is in the best interest of 23andMe customers and we look forward to finalizing the agreement.
The proposed settlement still needs to be approved by a judge.
