Is 23andMe Safe for DNA and Genetic Testing?
DANGEROUS: 23andMe has experienced one of the most alarming privacy trajectories of any consumer technology company. A 2023 data breach exposed the genetic ancestry data of approximately 6.9 million users. The company has faced financial difficulties, stock delisting warnings, and board member resignations, raising serious questions about what happens to your DNA data if the company is sold or goes bankrupt. Genetic data is permanent and cannot be changed like a password. The combination of a massive breach, financial instability, and the irreversible nature of genetic information makes 23andMe dangerous for privacy.
What 23andMe Collects
- Complete DNA genotype data from your saliva sample
- Genetic ancestry composition and ethnic heritage analysis
- Health predisposition reports for various genetic conditions
- Family connections through DNA relative matching
- Health surveys, family history, and phenotype questionnaires
Who Sees Your Data
- 23andMe Inc. and its subsidiaries including Lemonaid Health
- Third-party research partners if you opt into research programs
- DNA relatives who share genetic segments with you
- Law enforcement with appropriate legal process
- Potentially a future acquirer if the company is sold
The 2023 Data Breach
In October 2023, 23andMe confirmed a data breach that exposed the personal data of approximately 6.9 million users. Attackers used credential stuffing to access accounts and then scraped data from the DNA Relatives feature, which links genetically related users. Exposed data included display names, birth years, relationship labels, genetic ancestry results, and geographic locations. This breach exposed genetic heritage information that cannot be changed or reset. Unlike a password breach, you cannot get new DNA. The breach fundamentally compromised the genetic privacy of millions of people permanently.
Financial Instability and Data Future
Following the breach, 23andMe has faced severe financial difficulties including plummeting stock prices, NASDAQ delisting warnings, the resignation of all independent board members, and questions about the company long-term viability. If 23andMe is acquired or enters bankruptcy, your genetic data could transfer to a new owner whose privacy practices and intentions you did not agree to when you submitted your DNA. CEO Anne Wojcicki has expressed interest in taking the company private, which would reduce financial transparency. The uncertainty about who will ultimately control this genetic database is a critical concern.
The Permanence of Genetic Data
Genetic data is fundamentally different from other personal information. You cannot change your DNA like you can change a password, email address, or even your Social Security number. Once your genetic information is in a corporate database, the risks persist for your entire lifetime and potentially affect your biological relatives. Genetic data can reveal predispositions to diseases, ethnic heritage, family secrets, and biological relationships. A breach of genetic data has consequences that extend far beyond any other type of data exposure.
Recommended Privacy Settings
| Setting | Where | Recommended |
|---|---|---|
| DNA Relatives Feature | 23andMe > Settings > Privacy > DNA Relatives | Opt out of DNA Relatives to prevent your data from being linked to other users accounts |
| Research Consent | Settings > Research | Withdraw from all research programs to prevent your genetic data from being shared with third parties |
| Account Deletion | Settings > 23andMe Data > Delete Data | Request complete account and data deletion, and request destruction of your physical DNA sample |
Safer Alternatives
Clinical genetic testing through healthcare providers is covered by HIPAA with strict data protections and professional guidance
Genetic data, once submitted, cannot be fully recalled. The safest approach for genetic privacy is to not submit your DNA to any consumer testing company
Our Verdict
DANGEROUS: 23andMe represents one of the most alarming consumer privacy situations in the technology industry. The combination of a massive genetic data breach, severe financial instability threatening corporate survival, and the permanent irreversible nature of DNA data creates a uniquely dangerous situation. If you have data on 23andMe, request complete deletion and sample destruction immediately. Do not submit new DNA to the platform. For genetic health insights, work through HIPAA-covered healthcare providers. The risk of your permanent genetic data ending up in the hands of an unknown future owner or being exposed in further breaches is too significant to justify continued use.
Related Safety Checks
Frequently Asked Questions
What happens to my DNA data if 23andMe goes bankrupt?
In a bankruptcy or acquisition, your genetic data could be treated as a corporate asset and transferred to a new owner. While privacy laws may provide some protections, the practical reality is uncertain. Past bankruptcy cases involving companies with user data have sometimes resulted in data being sold as an asset. The unique sensitivity of genetic data makes this a particularly alarming scenario. If you have data on 23andMe, requesting deletion now, before any ownership change, is the most protective action you can take.
Can I delete my DNA data from 23andMe?
Yes. 23andMe allows you to request deletion of your account data and destruction of your physical saliva sample. Navigate to Settings, then 23andMe Data, then Delete Data. The process takes up to 30 days. However, if your data has already been shared with research partners, those partners may retain their copies under their own agreements. Data exposed in the 2023 breach cannot be unbreached. Deletion prevents further sharing but cannot undo past exposure.
How bad was the 23andMe data breach?
The 2023 breach exposed genetic ancestry data, display names, birth years, and geographic locations for approximately 6.9 million users, far more than initially reported. The exposed genetic ancestry data reveals ethnic heritage information that users may consider deeply personal. Unlike breached passwords or credit cards, genetic information is permanent and cannot be changed or replaced. The breach has lifetime implications for affected users. It also exposed genetic relationship connections between users, potentially revealing family secrets and biological relationships.