23andMe has reached a proposed settlement of $30 million to resolve a class action lawsuit stemming from a significant data breach that exposed the personal information of approximately 6.9 million customers.

The breach, which began in late April 2023 and lasted until September 2023, involved hackers utilizing credential stuffing techniques to gain unauthorized access to customer accounts.

As part of the settlement, affected customers will receive compensation and access to a free three-year security monitoring program.

This incident has severely impacted 23andMe's financial standing, contributing to a decline in stock prices and prompting CEO Anne Wojcicki to consider taking the company private, a move that was ultimately rejected.

The lawsuit, filed in January 2024, accused 23andMe of failing to adequately protect customer privacy and not properly notifying affected individuals about the breach.

Additionally, 23andMe will enhance its security protocols, implementing mandatory two-factor authentication and conducting annual cybersecurity audits for three years.

The company will also establish a data breach incident response plan and will cease retaining personal data for inactive accounts.

Most of the settlement costs, approximately $25 million, are expected to be covered by cyber insurance.

The proposed settlement is currently awaiting approval from a judge in a San Francisco federal court.

A dedicated website will be created to inform eligible individuals about the settlement fund and facilitate payments.

While 23andMe denies any wrongdoing related to the breach, the settlement should not be interpreted as an admission of liability.

The breach not only compromised personal information but also led to the leakage of data profiles for 4.1 million individuals in the UK and 1 million Ashkenazi Jews on hacking forums.