There's just one week left to claim part of 23andMe’s $30 million data breach settlement

If you ever submitted a swab to 23andMe, you could be eligible for part of a $30 million class-action settlement. But the deadline to file a claim is almost here.

In early October 2023, hackers accessed data belonging to close to 7 million 23andMe users — about half of the genetic testing company's customer base at the time — including names, addresses, and genetic data. The information was later posted for sale on the dark web.

In a class-action suit, plaintiffs accused 23andMe of negligence and breach of an implied contract, among other charges, for failing to protect their data or promptly notify users about the attack. 

The company denied any wrongdoing but, in a statement, said it believed settling "[was] in the best interest of 23andMe customers." (23andMe did not respond to requests for further comment.)

The deal received final approval last month and the deadline to submit a claim is Feb. 17, 2026.

Find out if you were impacted by the 23andMe data breach, whether you are eligible for compensation and how to protect yourself from identity theft. 

23andMe.com was the target of a cyberattack on Oct. 3, 2023. Initially, only a relatively small number of profiles were compromised, as the hackers used credential stuffing, a tactic that involves using stolen usernames and passwords from one website to try to access another site.

"Usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available, " the company wrote in a blog post.

Once in the system, however, they took advantage of the site's DNA Relatives feature, which helps users connect with distant genetic matches, to access approximately 6.9 million accounts. The DNA Relatives tool shares information such as display names, predicted relationships and percentage of DNA shared with a match.

After the attack, 23andMe added two-step verification and required all users to change their passwords. It also temporarily disabled some features in the DNA Relatives tool, "as an additional precaution to protect the privacy of our customers."

23andMe filed for Chapter 11 bankruptcy in March 2025. Four months later, the TTAM Research Institute, a nonprofit led by 23andMe co-founder Anne Wojcicki, announced it had completed its purchase of company assets, including customer data.

While Chapter 11 proceedings are still ongoing, the class-action settlement received final approval from the U.S. Bankruptcy Court for the Eastern District of Missouri on Jan. 20.

According to the settlement website, any U.S. resident who was a 23andMe customer between May 1, 2023, and Oct. 1, 2023, can be considered a class member.

Eligible users should have received notice from 23andMe that their personal information was compromised. If you're not sure whether you qualify, however, you can use the online contact form, email Kroll Settlement Administration at info@23andMeDataSettlement.com and call 833-621-5792. 

To file a claim electronically, you can use this online portal or print out a copy of the claim form and mail it to:

First-Class Mail
23andMe Holding Co. Claims Processing Center
c/o Kroll Restructuring Administration LLC
Grand Central Station, PO Box 4850
New York, NY 10163-4850

Overnighting or hand delivering
23andMe Holding Co. Claims Processing Center
c/o Kroll Restructuring Administration LLC
850 3rd Avenue, Suite 412
Brooklyn, NY 11232

The deadline to submit a claim is Feb. 17, 2026. The deadline to object to or opt out of the settlement was Dec. 29, 2025.

23andMe could end up owing as much as $50 million, though much of that will go toward attorney fees. Payment to individual class members is tiered, depending on their status:

• Up to $10,000 is available to customers with an "extraordinary claim" verifying out-of-pocket expenses related to the cybersecurity incident, including from repairing their identity, purchasing a security system, or treating mental distress.
  
• Cash payments of up to $165 are available to users who received notice that their health information was affected
  
• An additional $100 in statutory cash claim payments is available to class members who lived in Alaska, California, Illinois or Oregon from May 1 to Oct. 1, 2023.

In addition to cash payments, class members are being offered five years of free identity theft protection, dark web monitoring and genetic anomaly detection services. 

According to Kroll Settlement Administration, payment will be distributed "as soon as possible … once the bankruptcy reconciliation process is resolved and any appeals are concluded."

Class members will be informed of the progress on the settlement website.

Companies must stay alert to cybersecurity threats, but users can also take steps to reduce their vulnerability.

Use unique passwords: The best way to prevent credential stuffing is to use different passwords for each of your accounts. A password manager can generate unique, hard-to-guess credentials. Keeper is one of our top picks, with unlimited secure password sharing, dark-web monitoring and support for biometrics.

Add two-factor authentication: Not every site requires 2FA, but you can install it on your accounts in a matter of minutes. Duo and Google Authenticator are both easy to use, free, and offer backup tools that store and encrypt your credentials.

Check for data breaches: Sites like Have I Been Pwned and Mozilla Monitor can give you a heads-up about breaches, allowing you to change your credentials and review your credit reports.

Unique passwords and two-factor authentication will stymie some hackers, but freezing your credit prevents anyone from applying for new lines of credit in your name. You have to contact each credit agency separately, but the process is simple and free.

• Equifax: Visit the Equifax Consumer Services Center or call 800-349-9960.
• Experian: Contact Experian's security freeze center or call 888-397-3742.
• TransUnion: Visit the TransUnion website or call 888-909-8872.

Identity theft protection services can freeze your accounts for you, plus they'll notify you if your information is being used to open new accounts or if your data appears on the dark web. 

Two of our favorite services, Aura and Identity Guard, include insurance to help you recoup legal bills, lost wages and other losses associated with identity theft.

At CNBC Select, our mission is to deliver high-quality service journalism and comprehensive consumer advice to our readers, enabling them to make informed financial decisions. Every cybersecurity article is based on rigorous reporting by our team of expert writers and editors. While CNBC Select earns a commission from affiliate partners on many offers and links, we create all our content independently of our commercial team and any outside third parties, and we pride ourselves on maintaining high journalistic standards and ethics.

Catch up on CNBC Select's in-depth coverage of credit cards, banking and money, and follow us on TikTok, Facebook, Instagram and Twitter to stay up to date.