Genetic testing company 23andMe (now Chrome Holding Co.) has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data.

23andMe disclosed a massive data breach in October 2023, following credential-stuffing attacks that went unnoticed for five months, from April 2023 to September 2023.

During the incident, the threat actors stole the data of 6.9 million customers, including their genetic ancestry information. Some of it was later offered for sale on the dark web, with the attackers leaking millions of genetic profiles as proof that the data was legitimate.

New York Attorney General Letitia James said on Tuesday that a multistate investigation launched after the incident was disclosed found that the company lacked basic safeguards against credential-based cyberattacks, such as password blocklisting or multifactor authentication, as well as adequate rate limiting, intrusion prevention, and breach-detection monitoring.

Investigators also discovered that 23andMe failed to address unusual login activity and fix known vulnerabilities. The company initially denied that a breach had occurred, then blamed the incident on customers' account and password practices, according to Attorney General James.