The 23andMe data breach that happened in 2023 compromised over 6 million accounts. All of that information was immediately put up for sale on the dark web — and it was scarily cheap. Now, with 23andMe’s lawsuit over, customers face another data disaster. If the struggling company decides to sell, their genetic information could end up in the wrong hands.
The 23andMe Breach Compromised Your Genetic Data
Remember when you spit into a little test tube and shipped it off to 23andMe? That genetic data may now be compromised. The 23andMe data breach that happened in 2023 made national news, but you might’ve missed it — a lot happened that year. By now, the company should’ve contacted you directly if your information was leaked, as required by law.
23andMe encrypted all of the sensitive information it stores, but that didn’t matter because the attacker used credential stuffing. Simply put, they plugged stolen login details into 23andMe’s website. Since a bunch of people — roughly 14,000, to be specific — reused usernames and passwords, the attacker was able to gain legitimate access to user accounts.
A lot — and we mean a lot — of data points were compromised. If you were a victim of the attack, your display name, ethnicity, birth date, gender, billing address, IP address, ancestry, family names and more were stolen. Any information in family trees and genetic reports was also exfiltrated, raising the total number of victims to over 6 million people.
How Could Your 23andMe Data Be Used Against You?
The threat actor who targeted the biotechnology company put the stolen datasets up for sale on the dark web. Considering each of your cells contains roughly three meters of DNA, that’s a lot of data. Unfortunately, hackers, phishers and scammers can use this information against you.
For as little as $10 per account, bad actors were able to buy 100 compromised accounts. They gained access to details like your full legal name, birth date, location, mother’s maiden name, and family tree. They can attempt to steal your identity, scam your relatives or take over your other accounts with information like this.
3 Ways Hackers Could Profit off of Your Genetic Data
While the consequences of stolen genetic information remain unclear, the 23andMe lawsuit proves it has demonstrably affected people’s finances and well-being. After all, you can only change passwords and email addresses — not your DNA.
Sell to Insurers or Employers
Theoretically, insurers could buy the details stolen in the 23andMe data leak. While the Genetic Information Nondiscrimination Act of 2008 prevents health insurers and employers from discriminating against you based on your genetic profile, long-term care, life and disability insurers can do as they please.
Although using genetic information to discriminate against potential hires is illegal, that likely won’t stop a considerable percentage of employers from doing just that. They could easily plug that data into an autonomous system like artificial intelligence. As a result, they could deny your application based on your ancestry or ethnicity — without ever seeing you.
Steal Your Identity
Bad actors can sign up for credit cards, obtain medical services, open bank accounts or take out loans in your name — all they need is your full legal name, birth date, address and social security number. While your SSN wasn’t compromised as part of the 23andMe data breach, you’re effectively one leak away from having your identity stolen.
Blackmail You or Relatives
Sometimes, a person’s ancestry hides dark secrets. Maybe their grandfather had a secret second family, their biological father was a fertility doctor, their relatives had an incestuous relationship or they were secretly adopted. Shocking secrets like these are not uncommon now that DNA testing is relatively affordable.
Unfortunately, a determined individual could use details like these to blackmail you or your relatives. These kinds of secrets could metaphorically implode families, so it wouldn’t be out of the question for people to be willing to pay to keep things under wraps. In such situations, extortion is long-term — the bad actor doesn’t go away.
What Happens to Your DNA Data if 23andMe Is Sold?
You heard that right. 23andMe can — and probably will — sell your DNA data. Anne Wojcicki, the co-founder and CEO, said she is considering selling the company. After the data breach and subsequent lawsuit, the stock tanked and investors pulled out. Wojcicki is getting desperate to save her once-successful startup.
Already, the shares — which once briefly peaked at $6 billion — have dropped by over 98% and are at an all-time low. The company laid off 40% of its workforce in November 2024, which amounted to approximately 200 employees. Now, because of the 23andMe lawsuit, the company will have to pay $30 million. While cyber insurance will cover $25 million, $5 million is a lot for a struggling company.
To add insult to injury, the entire board resigned at once. Ironically, Wojcicki ousted her co-founder, Fire Avey, by approaching the board and asking to run the company alone. They agreed, which came as an unpleasant surprise to Avey. Now, the board is further fulfilling her wish by leaving en masse.
What You Need to Do Before 23andMe Is Sold
“Good,” you may be thinking, “It’s what that company deserves.” Not so fast, dear reader — they have your DNA. Even if you never submitted a spit sample, your relatives might have. After all, more than 7 million people have used this service to date. Unfortunately, while 23andMe says you are in control of your data, its fine print disagrees.
According to the official privacy policy, 23andMe considers your personal information an asset that can be “accessed, sold or transferred” as part of a “merger, acquisition reorganization or sale.” Interestingly, this little tidbit wasn’t available on any of the summaries, including the privacy overview page, the “how we use information” page or the privacy notice for U.S. customers — we had to dig around to find it.
Besides, the privacy policy can change at any time. If an insurance firm buys this biotechnology business, they can update the fine print to whatever they want. Since Wojcicki intends to sell, your information is not safe. You have no idea who will buy it or what they will do with it. While some are hopeful it will be used for good, experts are already sounding the alarm.
Aren’t Your DNA and Health Data Protected Under HIPAA?
You are mistaken if you believe the Health Insurance Portability and Accountability Act (HIPAA) protects you in situations like this. That law was made for doctor’s office visits, not health-related services, platforms or apps. The only reason the 23andMe lawsuit happened was multiple affected customers — not regulators — sued the company.
Besides, around 80% of 23andMe users consented to share their DNA data with third-party vendors when they signed up. That may sound preposterous, but it’s true. Most likely, many didn’t read the privacy policy in full, meaning they didn’t realize what they were agreeing to. They thought their details would help accelerate disease research or save lives.
23andMe used account, personal and genetic information to help with research for a while. However, it has since closed its drug development division, so that’s no longer happening. Arguably, the only purpose that consent serves now is to make your data available to third-party vendors with less-than-ethical interests.
Can You Delete Your Genetic Data from 23andMe?
If you allowed 23andMe to share your data for individual-level research, they could send their vendors literally any information you’ve entered on an app or website that has the company’s logo. This theoretically includes your location, gender, device identifier, IP address, credit card numbers, message content, browser type and more.
Should You Delete Your Data from 23andMe? It’s better to be safe than sorry. However, the choice is ultimately up to you. We recommend practicing caution, as you don’t know how attackers could use your DNA data against you in the future. If you want to delete your account, you should know deletion is irreversible.
Once you request account deletion — specifying you want your data deleted — 23andMe will destroy your spit sample and remove your data from its active databases. Unfortunately, any research already performed or published before they receive your request won’t be reversed or withdrawn — meaning you can not fully scrub it from the internet.
Fortunately, your information won’t be used in any future research projects. Notably, while the company strips identifiers like your name and address from your profile, it and its genotyping laboratory partner retain your date of birth, email address and biological sex.
23andMe notes it will destroy samples “within the legally applicable time frame.” What does this mean, exactly? According to 42 CFR § 493.1105 — federal laws pertaining to public health in the United States — the laboratory must retain records and tissue samples for at least two years. Sometimes, they have to hold on to information for at least 10 years.
Delete Your 23andMe Data While There Is Still Time
If the 2023 23andMe data breach wasn’t enough to convince you to delete your account, maybe this information will be. There’s no telling where your DNA data could end up if you don’t delete it — and your account — before a merger, acquisition, reorganization or sale takes place.
Recent Stories
Follow Us On
Get the latest tech stories and news in seconds!
Sign up for our newsletter below to receive updates about technology trends
