Back to news
Cybersecurity Alert
July 15, 2026 by EmailMeNow IT Consulting

Paxton Secures $150M Settlement Against 23andMe Over Genetic Data Breach Affecting 6.9M

Texas AG Ken Paxton joined a 42-state $150M bankruptcy settlement with 23andMe over the 2023 breach that exposed genetic data of 6.9M people. Immediate recovery $18M; Texas $1.27M. Audits: 23andme.com 52%, michigan.gov 42%, texasattorneygeneral.gov 37% — none at the 100% ideal.

Source: Texas Attorney General Ken Paxton (via Click2Houston / Woodlands Online)

NewsData BreachTexasPrivacyCybersecurity
Illustration of consumer genetic privacy, locked vault, and settlement review after a DNA testing company breach

Texas Attorney General Ken Paxton announced on July 15, 2026 a settlement of bankruptcy claims against 23andMe stemming from the October 2023 account compromise that exposed personal information — including some genetic ancestry data — for about 6.9 million customers worldwide. The deal includes $150 million in allowed claims for a 42-state coalition; because of limited bankruptcy-estate funds, immediate recovery is capped at $18 million, of which Texas receives $1,266,860.

Illustration of consumer genetic privacy, locked vault, and settlement review after a DNA testing company breach

Settlement Snapshot

ItemDetail
AnnouncedJuly 15, 2026 (Paxton / multistate)
Company23andMe (bankruptcy filing March 2025)
Allowed claims$150 million (42 AGs)
Immediate recovery$18 million from the estate
Texas share$1,266,860
People affected~6.9 million (disclosed Oct 2023)
Separate consumer relief$46.75 million class action (claims by Feb 17, 2026)

Paxton’s office said a multistate investigation found unreasonable security practices and inadequate safeguards. Reporting tied to the announcement notes the company learned of the incident months after data was publicly available, initially denied a breach, then pointed to consumers’ passwords and account settings. Some exposed information was later offered for sale on criminal markets.

Timeline-style illustration of delayed discovery, account lockouts, and underground marketplace risk after a consumer DNA data incident

What the Injunctive Terms Require

Bankruptcy settlements can still impose forward-looking controls. According to Paxton’s office (as reported by Click2Houston and Woodlands Online):

RequirementWhy it matters
Enhanced security standardsRaises the baseline for a firm that still holds genetic PII
Comprehensive risk assessmentsForces ongoing review, not a one-time checklist
Independent advisory boardOutside oversight of privacy / security practices
State privacy law complianceBinds the successor operator without carve-outs
Consumer data deletion rightsPreserves the ability to request account / data removal

Successor stewardship is described as the TTAM Research Institute, operating as the 23andMe Research Institute. Paxton: “Companies that collect and profit from Texans’ most personal information have a legal duty to protect it.”

Why Password Reuse Still Owns This Story

Credential-stuffing and reused passwords remain the consumer-facing lesson — even when the legal fight is about corporate safeguards:

RiskConsumer action
Reused passwordsUnique password for every DNA / health / finance account
No MFAEnable MFA wherever the service still allows it
Fake “settlement / DNA privacy” mailVerify via known portals — not unexpected links
Soft brand / AG domainsSpoofed “Paxton settlement” or “23andMe Research Institute” senders are easier when Identity scores are low (see audits below)

Independent Cybersecurity Audit

We scored the company domain plus Texas and Michigan AG hosts on July 15–16, 2026. Authority: audit.emailmenow.com only. 100% is the ideal. Sorted highest → lowest.

DomainOverallIdentityTransportWebsiteLevel
23andme.com52%50%15%37%Average
michigan.gov42%25%15%37%Below Average
texasattorneygeneral.gov37%10%15%40%Weak
FindingDetail
Ideal score0 of 3 hit 100% overall
Soft Identity on AG domainstexasattorneygeneral.gov Identity 10% / michigan.gov 25% — weak spoof resistance when consumers expect “settlement / privacy rights” mail
Soft Transport15% Transport on all three hosts in this pass
Company posture23andme.com at 52% Average — still far below ideal for a brand historically tied to genetic PII
Phishing implicationSoft Identity on AG and brand domains makes forged “claim your share / delete your DNA data” messages easier to trust

Bar chart of EmailMeNow audit scores for 23andme.com, michigan.gov, and texasattorneygeneral.gov — 100% ideal

Audit links: 23andme.com · michigan.gov · texasattorneygeneral.gov

Website stack note

Passive website-tech probes on July 16, 2026 covered all three domains (3 probed, 0 notable). 23andme.com resolved as Next.js (version not exposed; no automated freshness flag). The AG hosts did not surface a public CMS version in this pass. No outdated WordPress/Drupal / PHP EOL / short-horizon TLS alerts stood out. The consumer risk in this story remains genetic PII exposure + credential reuse + settlement-season phishing, not a CMS-core headline.

What Texans Should Do

AudienceAction
Former / current 23andMe usersConfirm deletion rights with the current operator; treat unexpected “settlement check / DNA privacy” email as hostile until verified
Anyone who reused passwordsRotate credentials shared with DNA / health / retail sites; enable MFA
Domains that send “official” noticesAim for DMARC p=reject, MTA-STS enforce, and TLS-RPT — none of the audited hosts reached the 100% ideal

Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement and consumer-phishing response planning.


Sources: Click2Houston — Texas AG 23andMe bankruptcy settlement · Woodlands Online — Paxton $150M settlement announcement · KVIA · Texas Border Business · EmailMeNow audits — 23andme.com · michigan.gov · texasattorneygeneral.gov