It sits in a drawer. Or maybe it’s buried in your digital archives, a PDF you haven't opened since 2018. You know the one. You spit in a tube, mailed it off, and waited six weeks to find out you’re 14% Irish and have a slightly higher chance of liking cilantro than the average person. But honestly, remember that DNA you have 23andMe collected? It didn't just stay a fun trivia night fact. That data is currently sitting in a corporate database that has seen more drama in the last twelve months than a prestige HBO miniseries.
The reality of consumer genomics has shifted. Hard.
What started as a way to find long-lost cousins or see if you have the "warrior gene" has turned into a massive conversation about data persistence, corporate bankruptcy fears, and the messy reality of what happens when your biological blueprint becomes a liquid asset. 23andMe was the darling of Silicon Valley, once valued at roughly $6 billion. Now? It’s fighting for its life on the stock market, and its entire board of directors recently resigned in a massive fallout with CEO Anne Wojcicki.
When a company that holds the genetic codes of 15 million people hits a rough patch, "remember that DNA" goes from a casual thought to a serious privacy concern.
The Massive 2023 Breach and What It Actually Exposed
We have to talk about the elephant in the room: the data breach. In late 2023, 23andMe confirmed that hackers accessed the personal information of about 6.9 million users. That’s nearly half their customer base. It wasn't a "brute force" attack on their main servers, though. It was credential stuffing. Hackers used passwords leaked from other websites to get into 23andMe accounts where users hadn't enabled two-factor authentication.
Once they were in, they used a feature called "DNA Relatives."
By getting into one account, they could see information about everyone that person was linked to. It was a domino effect. The attackers specifically targeted people with Ashkenazi Jewish and Chinese ancestry, uploading those lists to the dark web. It’s scary stuff. Not because someone can "clone" you—we aren't there yet—but because that data includes your name, birth year, and location. Couple that with your genetic heritage, and you’ve got a goldmine for targeted phishing or even identity theft.
💡 You might also like: The iPhone 5c Release Date: What Most People Get Wrong
23andMe eventually settled a class-action lawsuit for $30 million in mid-2024. But for the millions of people affected, a few bucks in a settlement check doesn't exactly erase the fact that their family tree is floating around on some offshore server.
Why Your Spit is a Business Asset
Companies don't just want your $99 for the kit. They want the aggregate data. 23andMe has a massive partnership with GSK (formerly GlaxoSmithKline). They use the de-identified data—if you opted in—to develop new drugs. It makes sense, right? If you have 15 million genetic samples, you can find patterns in Parkinson’s or Alzheimer’s way faster than a traditional hospital study.
But there is a catch.
If 23andMe goes under or gets sold, that data is an asset. In their terms of service, it’s basically stated that if the company is acquired, your data goes with it. We saw this when Blackstone bought Ancestry.com. The private equity firm didn't just buy a website; they bought a biological library.
Anne Wojcicki has expressed a desire to take the company private, which has caused a lot of friction. The board wanted to see a different direction. They left. Now, the future of those 15 million samples is a bit of a question mark. If you haven't looked at your account in years, now is probably the time to decide if you’re still cool with that data living in a cloud that might change owners.
The "I Have Nothing to Hide" Myth
"I'm not a criminal, so why do I care?" People say this all the time. It’s a fair point until you look at how law enforcement uses these databases.
📖 Related: Doom on the MacBook Touch Bar: Why We Keep Porting 90s Games to Tiny OLED Strips
You’ve heard of the Golden State Killer. They caught him using "investigative genetic genealogy." They didn't have his DNA in a criminal database, so they uploaded a crime scene sample to a site called GEDmatch. They found his 3rd cousins, built a family tree, and narrowed it down to him.
23andMe and Ancestry historically have been more restrictive than GEDmatch about police access. They require a warrant. They fight subpoenas. But as the legal landscape changes, and as these companies face financial pressure, those "walls" can get thinner. If your second cousin spits in a tube, they’ve essentially put you in the database, too. You share enough DNA that a smart genealogist can find you without you ever touching a kit.
It’s the first time in history where your privacy depends on the choices of your relatives. Weird, right?
Genetic Discrimination: The Law vs. The Reality
In the U.S., we have GINA—the Genetic Information Nondiscrimination Act of 2008.
It’s a solid law. It says your health insurance company can't jack up your rates because you have a BRCA1 mutation. Your boss can't fire you because you're predisposed to early-onset dementia.
But GINA has holes you could drive a truck through. It doesn't cover:
👉 See also: I Forgot My iPhone Passcode: How to Unlock iPhone Screen Lock Without Losing Your Mind
- Life insurance.
- Disability insurance.
- Long-term care insurance.
If you apply for a massive life insurance policy and the underwriter asks if you’ve had genetic testing, you have to be honest. If you say yes, they can ask for the results. Remember that DNA you have 23andMe results for? They can be the reason you get denied a policy or charged double the premium. It’s not "illegal" because GINA only covers health insurance and employment. This is a nuance most people miss when they're clicking "Accept" on the terms and conditions because they want to know why their hair is curly.
Managing Your Legacy Data
So, what do you actually do if you’re feeling a bit "meh" about your genes sitting on a server? You have options. You aren't stuck.
First, go into your settings and look at the "Research" section. You can opt out of the internal research studies. This doesn't delete your data, but it means they stop using it for new drug discovery projects.
Second, check your "DNA Relatives" setting. If you don't want strangers finding you, turn it off. It makes you invisible in the system.
Third, and this is the big one: You can request data deletion. 23andMe allows you to delete your account, which triggers a process where they scrub your personal info and discard your physical sample if they still have it. Be warned, though—they are legally required to keep some records for regulatory reasons (like the fact that a test was performed), but it effectively removes you from their active database.
Real Steps to Take Right Now
- Log in and enable 2FA. If you do nothing else, do this. Use an authenticator app, not just SMS. This stops the "credential stuffing" that caused the last breach.
- Download your raw data. It belongs to you. It’s a giant text file of Gs, As, Ts, and Cs. If the company ever disappears, you’ll want that file if you ever want to upload it to a medical tool like Promethease in the future.
- Review your "Consent" settings. People change. Maybe in 2015 you wanted to help scientists find a cure for baldness, but in 2026, you're more private. That's okay. Change your settings to reflect who you are now.
- Talk to your family. Genetic data is a group project. If you're going to delete your data—or if you're thinking about taking a new test—mention it to your siblings. Their privacy is linked to yours.
The "Golden Age" of casual genetic testing is over. We’re in the era of "Genetic Responsibility" now. It’s not just about finding out you’re 2% Neanderthal anymore; it’s about managing a digital asset that is literally your physical essence. Keep an eye on the news regarding 23andMe’s restructuring. Whoever ends up owning that company will own the most intimate data ever collected.
Make sure you're still comfortable being part of that collection.
Actionable Insight: Go to your 23andMe account settings today. If you haven't changed your password since 2023, change it now. Check your "Research Consent" and ensure it matches your current comfort level. If you decide to leave the platform, use the "Delete Account" feature, but download your "Raw DNA Data" first so you don't lose the information you paid for.