DNA testing giant 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023.

The proposed class action settlement, filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval.

“23andMe believes the settlement is fair, adequate, and reasonable,” the company said in a memorandum filed Friday.

23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits.

The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions.

“23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives’ claims for statutory damages,” the company said in the filed preliminary settlement.

“23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever.”

This settlement addresses claims that the genetic testing company failed to safeguard users’ privacy and neglected to inform customers that hackers specifically targeted them and their information was reportedly offered for sale on the dark web.

Data stolen following credential-stuffing attack

In October 2023, 23andMe revealed that unauthorized access to customer profiles occurred through compromised accounts. Hackers exploited credentials stolen from other breaches to access 23andMe accounts.

After discovering the breach, the company implemented measures to block similar incidents, including requiring customers to reset passwords and enabling two-factor authentication by default starting in November.

Starting in October, threat actors leaked data profiles belonging to 4.1 million individuals in the United Kingdom and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking forums like BreachForums.

23andMe told BleepingComputer in December that data for 6.9 million customers, including information on 6.4 million U.S. residents, was downloaded in the breach.

In January, the company also confirmed that attackers stole health reports and raw genotype data over a five-month credential-stuffing attack from April to September.

The data breach led to multiple class-action lawsuits, prompting 23andMe to amend its Terms of Use in November 2023, a move criticized by customers. The company later clarified that the changes aimed to simplify the arbitration process.