Texas Attorney General Ken Paxton announced on July 15, 2026 a settlement of bankruptcy claims against 23andMe stemming from the October 2023 account compromise that exposed personal information — including some genetic ancestry data — for about 6.9 million customers worldwide. The deal includes $150 million in allowed claims for a 42-state coalition; because of limited bankruptcy-estate funds, immediate recovery is capped at $18 million, of which Texas receives $1,266,860.

Settlement Snapshot
| Item | Detail |
|---|---|
| Announced | July 15, 2026 (Paxton / multistate) |
| Company | 23andMe (bankruptcy filing March 2025) |
| Allowed claims | $150 million (42 AGs) |
| Immediate recovery | $18 million from the estate |
| Texas share | $1,266,860 |
| People affected | ~6.9 million (disclosed Oct 2023) |
| Separate consumer relief | $46.75 million class action (claims by Feb 17, 2026) |
Paxton’s office said a multistate investigation found unreasonable security practices and inadequate safeguards. Reporting tied to the announcement notes the company learned of the incident months after data was publicly available, initially denied a breach, then pointed to consumers’ passwords and account settings. Some exposed information was later offered for sale on criminal markets.

What the Injunctive Terms Require
Bankruptcy settlements can still impose forward-looking controls. According to Paxton’s office (as reported by Click2Houston and Woodlands Online):
| Requirement | Why it matters |
|---|---|
| Enhanced security standards | Raises the baseline for a firm that still holds genetic PII |
| Comprehensive risk assessments | Forces ongoing review, not a one-time checklist |
| Independent advisory board | Outside oversight of privacy / security practices |
| State privacy law compliance | Binds the successor operator without carve-outs |
| Consumer data deletion rights | Preserves the ability to request account / data removal |
Successor stewardship is described as the TTAM Research Institute, operating as the 23andMe Research Institute. Paxton: “Companies that collect and profit from Texans’ most personal information have a legal duty to protect it.”
Why Password Reuse Still Owns This Story
Credential-stuffing and reused passwords remain the consumer-facing lesson — even when the legal fight is about corporate safeguards:
| Risk | Consumer action |
|---|---|
| Reused passwords | Unique password for every DNA / health / finance account |
| No MFA | Enable MFA wherever the service still allows it |
| Fake “settlement / DNA privacy” mail | Verify via known portals — not unexpected links |
| Soft brand / AG domains | Spoofed “Paxton settlement” or “23andMe Research Institute” senders are easier when Identity scores are low (see audits below) |
Independent Cybersecurity Audit
We scored the company domain plus Texas and Michigan AG hosts on July 15–16, 2026. Authority: audit.emailmenow.com only. 100% is the ideal. Sorted highest → lowest.
| Domain | Overall | Identity | Transport | Website | Level |
|---|---|---|---|---|---|
| 23andme.com | 52% | 50% | 15% | 37% | Average |
| michigan.gov | 42% | 25% | 15% | 37% | Below Average |
| texasattorneygeneral.gov | 37% | 10% | 15% | 40% | Weak |
| Finding | Detail |
|---|---|
| Ideal score | 0 of 3 hit 100% overall |
| Soft Identity on AG domains | texasattorneygeneral.gov Identity 10% / michigan.gov 25% — weak spoof resistance when consumers expect “settlement / privacy rights” mail |
| Soft Transport | 15% Transport on all three hosts in this pass |
| Company posture | 23andme.com at 52% Average — still far below ideal for a brand historically tied to genetic PII |
| Phishing implication | Soft Identity on AG and brand domains makes forged “claim your share / delete your DNA data” messages easier to trust |

Audit links: 23andme.com · michigan.gov · texasattorneygeneral.gov
Website stack note
Passive website-tech probes on July 16, 2026 covered all three domains (3 probed, 0 notable). 23andme.com resolved as Next.js (version not exposed; no automated freshness flag). The AG hosts did not surface a public CMS version in this pass. No outdated WordPress/Drupal / PHP EOL / short-horizon TLS alerts stood out. The consumer risk in this story remains genetic PII exposure + credential reuse + settlement-season phishing, not a CMS-core headline.
What Texans Should Do
| Audience | Action |
|---|---|
| Former / current 23andMe users | Confirm deletion rights with the current operator; treat unexpected “settlement check / DNA privacy” email as hostile until verified |
| Anyone who reused passwords | Rotate credentials shared with DNA / health / retail sites; enable MFA |
| Domains that send “official” notices | Aim for DMARC p=reject, MTA-STS enforce, and TLS-RPT — none of the audited hosts reached the 100% ideal |
Related Reading
- Breach monitoring resources
- Cyber insurance: controls decide coverage
- Texas OAG breach reports 2026 YTD
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement and consumer-phishing response planning.
Sources: Click2Houston — Texas AG 23andMe bankruptcy settlement · Woodlands Online — Paxton $150M settlement announcement · KVIA · Texas Border Business · EmailMeNow audits — 23andme.com · michigan.gov · texasattorneygeneral.gov