
States Force $18 Million Settlement from 23andMe Over Genetic Data Breach Exposing 6.9 Million Users
NEW YORK, July 14, 2026 – New York Attorney General Letitia James and a bipartisan coalition of 42 state attorneys general have secured an $18 million settlement from genetic testing firm 23andMe, concluding a multistate investigation into the company’s failure to safeguard the private genetic data of nearly 7 million customers.
The settlement, announced Monday, stems from an October 2023 breach that exposed sensitive ancestry and health-related information belonging to 6.9 million consumers nationwide, including 305,245 New York residents. Investigators found that compromised customer profiles were subsequently listed for sale on the dark web, exposing individuals to increased risks of identity theft and further cyber intrusions.
“Marylanders trusted 23andMe to protect their personal data, including highly sensitive genetic data and ancestry information. 23andMe failed to safeguard it and then blamed its customers,” said Maryland’s Attorney General Anthony Brown. “Through this settlement, we were able to ensure that Marylanders’ genetic information is properly protected going forward. My Office will continue to hold accountable any company that fails to protect Marylanders and their sensitive information.”
“Your genetic data is the most personal data you have. 23andMe failed to protect it for millions of people, and when the breach happened, they pointed the finger at their own customers,” said North Carolina Attorney General Jeff Jackson. “So we held them accountable to make sure that data is safe even if the company no longer exists.”
“The 23andMe data breach compromised the personal data, and in some cases genetic information, of thousands of Illinoisans,” Illinois Attorney General Kwame Raoul said. “This settlement sends the message that companies, particularly those collecting sensitive information from their customers, must have robust protections to keep consumers’ personal data secured.”
According to the terms of the agreement, 23andMe will pay $705,000 directly to New York state. More significantly, the settlement imposes strict new data security mandates on the company’s successor entity, the 23andMe Research Institute—formerly TTAM Research, a non-profit formed by the company’s founder and acquired during 23andMe’s March 2025 bankruptcy proceedings.
The multistate probe revealed that 23andMe failed to implement multiple critical safeguards prior to the breach. Investigators cited the company’s lack of multifactor authentication, absence of password blocklist protocols against known compromised credentials, inadequate rate-limiting and intrusion-prevention systems, and deficient logging and monitoring tools that could have detected the attack. The company also failed to investigate unusual login patterns, including a massive spike in access attempts, and did not properly review or test design features for known vulnerabilities.
“Protecting the personal information of Michigan residents has been one of my top priorities during my time in office, and we will not stand by when companies fail to safeguard consumer data,” said Michigan’s Attorney General Dana Nessel. “I am proud to have worked with this coalition to secure this settlement. We remain committed to defending the privacy of Michiganders and ensuring that corporations that fail their customers are held accountable.”
“Consumers have a right to expect that the companies entrusted with their most personal information will protect it. This settlement reinforces security requirements for the remaining 23andMe data, maintains consumers’ right to delete their information, and makes clear that companies cannot cut corners when it comes to data privacy,” said Massachusetts Attorney General Andrea Joy Campbell . “I will continue to hold companies accountable when they fail to protect consumers and their sensitive information.”
“23andMe recklessly exposed Arizonans’ sensitive genetic data to hackers, allowing it to end up on the dark web,” said Arizona Attorney General Kris Mayes. “This settlement, combined with private class‑action settlements, brings some measure of accountability — but companies that hold such sensitive information must do a better job protecting the data of consumers. We will continue working to hold companies accountable when they fail Arizona consumers.”
In the immediate aftermath of the incident, 23andMe initially denied any breach, later attributing the compromise to customer password practices before confirming the scale of the data exposure. The company only acknowledged the intrusion months after stolen information had been made publicly available on illicit forums.
As part of the settlement, the newly formed 23andMe Research Institute is now required to conduct ongoing risk analyses, establish an advisory board dedicated to data security, and maintain consumer rights to request deletion of their genetic information. The attorneys general secured these provisions to ensure the institute operates as a more secure custodian of sensitive biological data moving forward.
Attorney General James emphasized the fiduciary duty companies hold when handling intimate personal information. “New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet,” she said in a statement. The settlement, she added, imposes “strict rules” to prevent future lapses.
The investigation involved a bipartisan coalition that included attorneys general from 42 states and the District of Columbia. For New York, the case was handled by Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology, under the Division for Economic Justice.
Cash App Owner Block Fined $45 Million in Multistate Settlement Over Fraud Epidemic and Deceptive Marketing
NEW YORK, July 8, 2026 – A bipartisan coalition of 46 attorneys general, led by New York Attorney General Letitia James, has secured a $45 million settlement from Block, Inc., the parent company of the peer-to-peer payment platform Cash App, following a sweeping investigation into systemic fraud and misleading claims about user protections.
The settlement, announced Tuesday, caps a multiyear probe that found Block deliberately misrepresented Cash App’s security features, failed to provide legally required fraud resolution, and allowed scam accounts to proliferate unchecked across its platform. The company will pay $1.6 million in penalties to New York state as part of the agreement.
Investigators allege that Block marketed Cash App with language implying it offered bank-level safeguards for customer funds, despite lacking consistent fraud-detection systems or a functioning hotline for users to report scams. The company’s terms of service touted “cutting edge” fraud technology, but the attorneys general found no such system in place.
“Cash App failed to protect its users from fraud and then made it nearly impossible for victims to recover what they lost,” said Maryland Attorney General Anthony Brown. “This settlement strengthens the company’s fraud and dispute resolution practices: protections that Maryland consumers deserve when they trust a business with their money.”
“CashApp knew peer-to-peer payment apps were prime targets for fraudsters, and instead of taking extra steps to safeguard their platform, they misled and deceived consumers about protections being offered,” Pennsylvania Attorney General Dave Sunday said. “The changes required under this settlement will strengthen consumer protections and improve the ability of users to report and resolve fraud.”
“People deserve to know that their money is actually protected,” said North Carolina Attorney General Jeff Jackson. “Block told users Cash App was safe, but made it easier for fraud to occur, and then failed to help when customers needed it most. This settlement gets money back for the customers who took them at their word.”
According to the investigation, Block was aware that fraud on its platform was escalating sharply but chose to expand its user base through aggressive marketing rather than fortify security. The company actively targeted unbanked and underbanked consumers by promoting direct deposits of paychecks and government benefits into Cash App accounts, making those users particularly vulnerable to financial predation. Yet Block did not introduce proportionate security or prevention measures for these customers.
The probe also uncovered policies that actively enabled abuse. Cash App did not require a Social Security number or date of birth to create an account, and there was no limit on the number of accounts a single individual could open, allowing bad actors to operate entire networks of fraudulent profiles. The platform also limited chargebacks while incentivizing new account creation, a combination investigators said fueled fraud.
One of the most striking findings involved customer support failures. Cash App had no direct phone number for assistance, forcing users locked out of their accounts to search online for help. Fraudsters exploited this vacuum by creating fake customer-service numbers, tricking victims into surrendering login credentials and draining their accounts or linked bank accounts. Block knew of the scheme but did not warn users or establish a legitimate phone line until 2021, the investigation found.
The company also ran a weekly social media promotion called Cash App Fridays, which encouraged users to publicly post their unique Cash App identifiers for a chance to win prizes. Fraudsters used those posts to contact participants, claim they had won, and extract login information. Block was aware of the scams but continued the promotion while training staff to handle complaints from defrauded customers.
Users who experienced automated account locks for suspicious transactions frequently remained locked out for weeks with no access to their funds. Victims of fraud through the app often had no effective recourse, and Block delayed investigating unauthorized transactions or issuing legally required refunds.
As part of the settlement, Block must now implement a series of corrective measures: maintain live customer support with a real person available by phone for at least 13.5 hours daily and by live chat for at least 18 hours daily; cease all false or misleading claims about Cash App’s safety and fraud protections; discontinue marketing practices known to increase fraud; educate consumers about common scam tactics; and fulfill its legal obligations to investigate fraud claims and reimburse unauthorized transactions.
Attorney General James characterized the settlement as a necessary check on corporate negligence in the fintech sector. “New Yorkers were promised that Cash App was a safe and secure platform to send money, but in reality, the app exposed them to rampant fraud,” she said. “For years, Cash App users lost money to costly scams because Block cared more about profits than protecting its users.”
The coalition includes attorneys general from 45 other states, spanning both parties and every region of the country. The case was handled for New York by Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger of the Bureau of Internet and Technology, under the Division for Economic Justice.
“We’re proud to protect Kentucky consumers from predatory businesses. We are helping to make Kentuckians whole and putting into place safeguards that will help prevent Kentuckians from falling victim to fraud in the future,” said Kentucky Attorney General Coleman.
“Virginians deserve to trust that the companies they do business with are acting legally and with integrity, and when a company acts outside the law or unethically, this office will hold them accountable,” said Virginia Attorney General Jones. “When companies strategically omit information and foster fraudulent practices, it hurts consumers and shakes confidence in our institutions. I want to assure Virginians throughout the Commonwealth that the OAG is using all available tools to protect them.”
“Cash App was riddled with fraud, and the company did next to nothing to protect its customers from the devastating financial consequences. Today’s settlement forces major reforms on the platform, including real customer support, transparent and honest communications with users, and security commitments. This resolution builds on the settlement reached between the Consumer Financial Protection Bureau and Cash App in January 2025, which included millions of dollars in direct financial relief to consumers who were the victims of fraud on the platform. Even with these new safety measures, peer-to-peer payment apps like Cash App do not have the same safeguards as traditional banking. Be very careful whenever using these types of apps. Never give your account information to someone you do not know, and monitor your account for suspicious activity regularly,” said Connecticut Attorney General William Tong .
“Cash App told people their money was safe, and millions of Oregonians and Americans believed them, including a lot of people who didn’t have other options” said Washington State Attorney General Dan Rayfield. “When things went wrong, Block left them with nowhere to turn. This settlement holds Block accountable and makes sure they can’t walk away from money they promised to pay back to consumers.”


