23andMe Data Breach Class Action MDL 3098: $30M Settlement, Bankruptcy & Claims 2026
Your DNA Was Sold on a Hacker Forum: The 23andMe Breach in Perspective
Most data breaches involve financial credentials — account numbers, passwords, credit card data that can be changed or monitored. The 23andMe breach of October 2023 was categorically different. What the attacker known as “Golem” accessed and sold was genetic ancestry data, health predisposition information, and — most disturbingly — curated lists specifically identifying users by their ethnic and religious heritage.
For approximately 1 million Ashkenazi Jewish users and approximately 100,000 users identified as ethnically Chinese, this was not a generic privacy violation. It was a targeted compilation of individuals defined by biological heritage — a data set with profound potential for misuse.
The legal fallout was swift. MDL 3098 consolidated cases before Judge Edward M. Chen in the Northern District of California. A $30 million settlement was negotiated, announced in September 2024, and received final court approval on January 30, 2026. Then, on March 26, 2025, 23andMe filed for Chapter 11 bankruptcy protection — triggering an automatic stay that suspended the MDL and sent settlement claims to the bankruptcy court in Missouri.
This guide walks through the breach, the litigation, the bankruptcy complexity, and what affected users need to do now.
This article is for informational purposes only and does not constitute legal advice.
MDL 3098: Case Structure and Timeline
MDL 3098 at a Glance:
| Field | Detail |
|---|---|
| Full case name | In re: 23andMe, Inc., Customer Data Security Breach Litigation |
| Case number | 3:24-md-03098-EMC |
| Court | U.S. District Court, Northern District of California (N.D. Cal.) |
| Presiding judge | Hon. Edward M. Chen |
| Settlement amount | $30 million non-reversionary fund |
| Final approval granted | January 30, 2026 |
| Bankruptcy stay effective | March 26, 2025 |
| Bankruptcy court | Eastern District of Missouri (E.D. Mo.) |
Verified event timeline:
| Date | Event |
|---|---|
| October 1, 2023 | Initial forum post by hacker “Golem” with stolen data |
| October 6, 2023 | 23andMe official breach disclosure |
| 2024 | MDL 3098 established in N.D. Cal. |
| September 2024 | $30 million settlement announced |
| January 2024 | Separate class action filed over ethnicity-curated lists |
| January 30, 2026 | MDL 3098 settlement final approval |
| March 26, 2025 | 23andMe Chapter 11 bankruptcy — automatic stay triggered |
How the Attack Worked: Credential Stuffing
Understanding the attack method matters for the legal case — it determines what security failures 23andMe is alleged to have committed.
Credential stuffing: attackers obtain databases of username/password combinations leaked from other breached websites (such as LinkedIn, Adobe, or smaller services) and use automated tools to test those credentials against a target website. Users who reuse passwords across multiple sites are vulnerable even if the target site’s own security is intact.
23andMe’s initial public position was that its own systems were not “hacked” — rather, users with compromised credentials on other platforms were the point of entry. Critics and plaintiffs’ attorneys responded that this framing missed the point: 23andMe failed to implement security controls that would have prevented or detected credential stuffing at scale, such as mandatory multi-factor authentication (MFA), anomaly detection, and rate limiting on login attempts.
The DNA Relatives amplification effect:
Even if only a small number of accounts were directly accessed via credential stuffing, 23andMe’s “DNA Relatives” feature allowed attackers to view the profiles of relatives who had enabled profile sharing. This design characteristic transformed what might have been a limited breach into one affecting approximately 6.9 million users — roughly half of 23andMe’s total user base at the time.
Key legal questions the plaintiffs pressed:
- Should 23andMe have mandated MFA given the sensitive nature of genetic data?
- Was the DNA Relatives feature’s privacy architecture designed with adequate security?
- How quickly did 23andMe detect the breach, and was notification sufficiently prompt?
The Data That Was Exposed
| Category | Description | Potential Harm |
|---|---|---|
| Genetic ancestry | Geographic and ethnic origin data | Discrimination, targeted fraud |
| Health predispositions | Disease risk data (opt-in users) | Insurance discrimination, stigma |
| Family relationships | DNA Relatives connections | Unwanted disclosure of family links |
| Name and email | Basic identity data | Phishing, identity theft |
| Birth year | Partial date of birth | Account takeover assistance |
| Location | Approximate residential data | Physical targeting |
The ethnicity-curated lists:
The hacker specifically compiled and sold:
- A list of approximately 1 million users identified as Ashkenazi Jewish
- A list of approximately 100,000 users identified as ethnically Chinese
These curated compilations were separately advertised and priced on criminal forums. This represents a qualitatively different harm — ethnicity targeting using genetic data — from general personal information theft. A January 2024 class action specifically addresses this targeted aspect of the breach.
The $30 Million Settlement: What It Covers
Fund structure: Non-reversionary means unclaimed funds do not revert to 23andMe — they must be distributed to class members or cy pres recipients (charitable organizations serving privacy or genetic research interests).
Eligibility for settlement claims:
- U.S. users whose personal data was included in the October 2023 breach
- Approximately 6.4 million U.S. natural persons per settlement documentation
Recovery structure: The settlement provides base compensation for documented harm, with enhanced awards for:
- Users whose health predisposition data was among the exposed information
- Users on the targeted ethnicity-curated lists (enhanced damages for heightened privacy violation)
- Users who can document actual identity theft or other concrete harm following the breach
Practical recovery amount: The fund divided among millions of claimants means individual base recoveries will be modest. The bankruptcy complicates distribution further. Even modest settlement participation is worthwhile, as it costs claimants minimal time and preserves rights.
The Bankruptcy: 11 U.S.C. § 362 and What It Means for You
23andMe filed for Chapter 11 bankruptcy on March 26, 2025. This triggered the automatic stay under 11 U.S.C. § 362, which immediately halted all pending civil proceedings against the debtor.
Practical effect on MDL 3098:
- All MDL 3098 proceedings suspended
- No new lawsuits can be filed against 23andMe in civil courts
- Distribution of the $30 million settlement fund is now subject to bankruptcy court oversight in E.D. Missouri
What affected users must do:
To participate in any recovery — whether through the MDL settlement or the bankruptcy’s reorganization plan — you must file a proof of claim with the bankruptcy court. The bankruptcy court will establish a claims bar date (deadline). Missing this deadline typically means permanent exclusion from any recovery.
The genetic data sale question:
In Chapter 11 bankruptcy, a company’s assets may be sold to satisfy creditors. 23andMe’s genomic database — containing DNA data from millions of users — is a significant asset. Bankruptcy courts have addressed genetic data sales carefully in prior cases, and it is expected that any acquirer will be subject to privacy-protective conditions. Users who have requested data deletion before any sale are in a stronger position to object to data transfer.
Legal Theories in the 23andMe Litigation
Negligence (failure to maintain adequate security): 23andMe had a duty to protect the sensitive genetic data of its users. The failure to require MFA, the insufficient anomaly detection, and the delayed disclosure allegedly constitute breach of that duty.
Breach of implied contract: 23andMe’s terms of service and privacy policy represented to users that their genetic data would be protected. The breach violated those representations.
State data protection law violations: California’s Confidentiality of Medical Information Act (CMIA) may apply to health predisposition data. California’s Consumer Privacy Act (CCPA) provides rights over personal data collected from California residents. Multiple states have analogous laws.
Negligence per se: Violations of FTC Act Section 5 (unfair or deceptive practices) and applicable state consumer protection laws can establish negligence per se in some jurisdictions.
Specific to the ethnicity-curated list claim: The separate January 2024 class action asserts additional theories, including discrimination-enabling breach and potential civil rights implications of compiling and commercializing data by ethnic/religious identity.
Statute of Limitations and Bankruptcy Interaction
State SOL for data breach claims (reference — verify with attorney):
| State | Data Breach / Privacy SOL | Discovery Rule |
|---|---|---|
| California | 2 years (CMIA); 3 years (general negligence) | Yes |
| New York | 3 years | Yes |
| Texas | 2 years | Yes |
| Florida | 4 years (consumer protection) | Yes |
| Illinois | 2 years | Yes |
The MDL settlement final approval (January 30, 2026) and the bankruptcy automatic stay (March 26, 2025) create an unusual procedural posture. Claimants who have not filed a claim should consult an attorney immediately to understand whether they need to file in the MDL settlement process, the bankruptcy claims process, or both.
Protecting Yourself: Steps Beyond Litigation
Request data deletion from 23andMe:
- Log in to your 23andMe account
- Navigate to Settings → 23andMe Data → Request Deletion of Your 23andMe Data
- Confirm the deletion request and save the confirmation email
Monitor for identity theft:
- Place a credit freeze at all three bureaus (Equifax, Experian, TransUnion) — free by law
- Review your credit report at annualcreditreport.com for unfamiliar accounts
- Consider identity theft protection services that monitor genetic data misuse
Watch for phishing: Attackers who obtained your email from the breach may attempt targeted phishing. Be suspicious of emails referencing your genetic data, health information, or ancestry.
Patient Scenario: A Korean American 23andMe User
The situation: A 38-year-old Korean American woman in California used 23andMe in 2021 to explore her ancestry and check for health predispositions (she had opted into health reports). She received a breach notification from 23andMe in October 2023.
Her exposure: Her data was potentially accessible through a connected family member whose account was directly compromised. Her health predisposition data — including BRCA marker information — may have been among the exposed files.
Her concerns and legal options:
- California’s CMIA may provide heightened protection for health-related genetic data
- As a Korean American, her data is not in the targeted Ashkenazi Jewish or Chinese-ethnicity lists, but her health predisposition data exposure independently supports a claim
- California’s 2-year CMIA SOL runs from the date she knew or should have known of the breach — October 6, 2023 is the public notice date
- She should file in the MDL settlement process and, given the bankruptcy, also file a proof of claim in E.D. Missouri bankruptcy court
- She should immediately request deletion of her genetic data from 23andMe
This scenario shows that users outside the specifically curated ethnic lists still have viable claims based on health predisposition data exposure.
What to Do Right Now
-
Locate your breach notification email. 23andMe sent direct notification to affected users. Preserve this.
-
Visit the official settlement website. Check 23andmedatasettlement.com for current claim-filing instructions given the bankruptcy.
-
File a proof of claim in the bankruptcy. An attorney can help you file with the E.D. Missouri bankruptcy court before the claims bar date. Do not miss this deadline.
-
Request data deletion from 23andMe. Act before any bankruptcy asset sale.
-
Freeze your credit. Free and effective protection against identity theft using your exposed personal data.
-
Consult an attorney. Mass tort and data privacy attorneys can evaluate your specific situation, especially if you are among the ethnicity-curated list victims.
Related Privacy and Mass Tort Litigation
- AT&T Data Breach Lawsuit MDL 3114 2026
- GLP-1 NAION Vision Loss Lawsuit MDL 3163 2026
- JUUL E-Cigarette Teen Addiction Lawsuit MDL 2913 2026
- Hawaii Maui Wildfire Lawsuit 2026
- Exactech Knee Hip Recall Lawsuit MDL 3044 2026
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your situation. Laws vary by state. Information current as of May 2026; the bankruptcy is ongoing and circumstances may change.
What happened in the 23andMe data breach?
Beginning around October 1, 2023, attackers used credential stuffing — automated testing of username/password combinations leaked from other websites — to access approximately 6.9 million 23andMe user accounts. The breach was publicly disclosed by 23andMe on October 6, 2023. Through 23andMe's 'DNA Relatives' feature, attackers accessed profile data of connected users who had not themselves been directly compromised.
What data was exposed?
Exposed data included genetic ancestry information, health predisposition data (for users who had opted in to health reports), names, email addresses, birth years, and location data. The hacker known as 'Golem' curated and sold targeted lists: approximately 1 million Ashkenazi Jewish users and approximately 100,000 users of Chinese ethnicity were specifically identified and sold separately.
What is MDL 3098?
MDL 3098 is formally 'In re: 23andMe, Inc., Customer Data Security Breach Litigation,' Case No. 3:24-md-03098-EMC, pending in the Northern District of California before Judge Edward M. Chen.
What is the settlement amount?
A $30 million non-reversionary settlement fund was announced in September 2024. Final approval was granted on January 30, 2026. The settlement was being processed before 23andMe's Chapter 11 bankruptcy filing disrupted the proceedings.
23andMe filed for bankruptcy — what happens to my settlement claim?
On March 26, 2025, 23andMe filed for Chapter 11 bankruptcy protection. Under 11 U.S.C. § 362, the automatic stay immediately suspended MDL 3098 proceedings. Settlement claims are now being processed through the bankruptcy court in the Eastern District of Missouri. Claimants must file a proof of claim in the bankruptcy proceeding to preserve recovery rights. Missing the bankruptcy claims bar date may eliminate your right to compensation.
Do I have to have been directly hacked to qualify?
Not necessarily. Many affected users had their data accessed through the 'DNA Relatives' feature — meaning a connected user's direct credential compromise led to exposure of their profile. If your 23andMe data was included in what was exposed, you may qualify regardless of whether your own login was directly used.
Why is genetic data especially sensitive?
Unlike a password, your DNA cannot be changed. Genetic data reveals disease predispositions, ancestral background, and familial relationships. The Genetic Information Nondiscrimination Act (GINA) prohibits discrimination in health insurance and employment based on genetic information, but does not cover life insurance, disability insurance, or long-term care insurance. Curated lists targeting specific ethnic groups create unique risks of discrimination, targeted fraud, and physical harm.
What was the separate January 2024 lawsuit about?
In January 2024, a separate class action was filed specifically targeting the curated sale of ethnicity-sorted user lists — the approximately 1 million Ashkenazi Jewish and approximately 100,000 Chinese-ethnicity datasets that were selectively marketed by the hacker. This suit focuses on the heightened harm of ethnicity-targeted breaches versus general credential theft.
How can I delete my genetic data from 23andMe?
You can request deletion from within your 23andMe account: go to Settings → 23andMe Data → Request Deletion of Your 23andMe Data. In the bankruptcy context, deleting your data before any sale may strengthen your position if 23andMe's genetic database is acquired by a third party.
What is the bankruptcy automatic stay under 11 U.S.C. § 362?
When a debtor files for Chapter 11 bankruptcy, an automatic stay immediately halts all civil litigation, collections, and enforcement actions against the debtor. 11 U.S.C. § 362 codifies this. For 23andMe claimants, it means you cannot currently sue the company in the MDL or any other court — you must participate in the bankruptcy process to assert your rights.
How much will each claimant receive?
The $30 million fund divided among approximately 6.4 million eligible U.S. claimants means per-person recovery will be modest absent a very low claims rate. The bankruptcy complicates distribution further. Per-plaintiff projections are speculative at this stage — do not let low per-person estimates deter you from filing, as the claims process requires minimal effort and preserves your legal position.
What is the official settlement website?
23andmedatasettlement.com was the official settlement administrator website. Given the bankruptcy, check this site and PACER (using Case No. 3:24-md-03098-EMC) for current instructions.
관련 글
AT&T Data Breach Lawsuit MDL 3114: $177M Settlement & Claims Guide 2026
Securities Fraud Class Action Attorney Guide 2026 — How Investors Recover Losses
Mass Tort Settlement Payout Timeline 2026: From MDL Agreement to Your Check
Uber and Lyft Accident Attorney 2026: The $1M Insurance Layer and How to Actually Collect It
Investment Fraud Recovery Attorney 2026: FINRA Arbitration, SIPC Limits, and Ponzi Clawback Under §548
