23andMe, now Chrome Holding Co., agreed to pay $18 million to settle claims from 43 attorneys general after a 2023 breach exposed the genetic data of 6.9 million customers. The settlement follows findings that the company lacked basic protections like multifactor authentication and failed to respond to suspicious logins and known vulnerabilities, while later legal actions and bankruptcy proceedings continued to shape the case. #23andMe #LetitiaJames #TTAMResearchInstitute #ICO
Keypoints
- 23andMe agreed to an $18 million settlement with 43 state attorneys general.
- The 2023 breach exposed genetic data from 6.9 million customers.
- Attackers used credential stuffing and stole data over a five-month period.
- Investigators found missing safeguards like MFA, password blocklisting, and rate limiting.
- The case led to lawsuits, regulatory fines, and new security requirements during bankruptcy and acquisition proceedings.