What to Do After the 23andMe Data Breach

In October 2023, genetic testing company 23andMe confirmed that hackers had accessed the genetic profiles of nearly 7 million users through a months-long credential stuffing attack. Then in March 2025, the company filed for Chapter 11 bankruptcy, raising urgent questions about what would happen to the DNA data of more than 15 million customers. If you ever used 23andMe, here is what was exposed, what has happened since, and what you should do right now to protect yourself.

What Happened: The 2023 Data Breach

Beginning on April 29, 2023, and continuing for approximately five months, a threat actor used a technique called credential stuffing to break into 23andMe accounts. Credential stuffing works by feeding usernames and passwords stolen from other breached websites into a login page until matches are found. Because many people reuse the same passwords across multiple services, the attacker was able to access more than 14,000 individual accounts this way.

But the damage went far beyond those initial accounts. Through 23andMe's "DNA Relatives" feature, which allows users to connect with genetic matches, the hacker was able to scrape the profile information of approximately 6.9 million people -- nearly half of the company's entire user base at the time.

What Data Was Exposed

The information stolen included:

• DNA ancestry results and ethnicity estimates
• Health predisposition reports linked to genetic markers
• Family tree connections and DNA relative matches
• Profile details such as names, birth years, locations, and profile photos
• Family surnames and grandparents' birthplaces
• Haplogroup information (mitochondrial DNA and Y-chromosome DNA)

A class action lawsuit further alleged that profiles of users with Chinese and Ashkenazi Jewish heritage were bundled into targeted ethnic lists and placed on the dark web for sale.

What Happened Next: Bankruptcy and the Data Sale

In March 2025, 23andMe filed for bankruptcy after years of declining kit sales and the fallout from the breach. CEO Anne Wojcicki stepped down, and questions immediately arose about what would happen to the genetic data of millions of customers.

After a contested auction process, TTAM Research Institute -- a nonprofit founded by Wojcicki herself -- acquired substantially all of 23andMe's assets for $305 million. The sale was approved by a bankruptcy court on June 30, 2025, and the acquisition closed on July 14, 2025. TTAM committed to honoring 23andMe's existing privacy policies, establishing a Consumer Privacy Advisory Board, and restricting future sale or transfer of genetic data.

Despite these commitments, privacy advocates and multiple state attorneys general have raised concerns. Federal law provides limited protection for genetic data held by private companies, and the long-term future of this data under new ownership remains uncertain.

Why Genetic Data Exposure Is Uniquely Dangerous

A genetic data breach carries risks that go beyond traditional identity theft:

• Permanent exposure: You cannot change your DNA. Once this data is compromised, it remains compromised forever.
• Family-wide impact: Your genetic data reveals information about your biological relatives, even if they never used 23andMe themselves.
• Insurance discrimination: While the Genetic Information Nondiscrimination Act (GINA) provides some protection against discrimination in employment and health insurance, it does not cover life insurance, disability insurance, or long-term care insurance. Insurers in these categories could potentially use genetic predisposition data against you.
• Ethnic targeting: As demonstrated in this breach, genetic data can be used to identify and target individuals based on their ethnic heritage.
• Synthetic identity fraud: Criminals can exploit genetic information to create sophisticated false identities or impersonate relatives for financial gain.

What You Should Do Right Now

Step 1: Delete Your 23andMe Account and Data

If you still have a 23andMe account, the most important step you can take is to request permanent deletion of your data. Here is how:

1. Sign in to your account at 23andMe.com
2. Click your profile in the upper right corner and select "Settings"
3. Scroll to the "23andMe Data" section at the bottom of the page and click "View"
4. Optionally, download a copy of your data first (check the boxes for any data you want and click "Request Download" -- this can take up to 30 days)
5. Click the red "Permanently Delete Data" button
6. Open the confirmation email with the subject line "23andMe Delete Account Request" and click "Permanently Delete All Records"

Important: Your data will not be deleted unless you complete that final email confirmation step. Also note that if you previously consented to 23andMe's research program, any data already anonymized and included in completed studies cannot be removed from those datasets.

Step 2: Change Passwords and Enable Two-Factor Authentication

The original breach exploited credential reuse. If you used your 23andMe password on any other website or service, change those passwords immediately. Use a unique, strong password for every account and enable two-factor authentication wherever it is available.

Step 3: Monitor for Identity Theft

Given the sensitivity of the data exposed, you should actively monitor for signs that your personal information is being misused:

• Place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion)
• Review your credit reports regularly for unfamiliar accounts or inquiries
• Watch for phishing attempts that reference your genetic information, ancestry, or family connections -- scammers may use breach data to craft highly convincing targeted messages

Step 4: Reduce Your Overall Data Footprint

The 23andMe breach is a stark reminder that any personal data you share online can eventually be exposed. Reducing the amount of personal information available about you across the internet is one of the most effective ways to protect yourself from future breaches and targeted attacks.

Services like PrivacyOn help by actively removing your personal information from over 100 data broker sites that collect and sell your data. While no service can undo a genetic data breach, reducing the other personal information available about you -- your address, phone number, email, family members, and more -- makes it significantly harder for criminals to combine breach data with other information to commit identity theft or targeted fraud. PrivacyOn also provides dark web monitoring to alert you if your information appears in new data dumps or criminal marketplaces.

Step 5: Be Cautious With Other Genetic Testing Services

Before sharing your DNA with any company, consider the following:

• Read the privacy policy carefully, especially sections about data sharing, research use, and what happens during a sale or bankruptcy
• Understand that once you submit a sample, you may not have full control over how that data is used in the long run
• Check whether the service allows you to delete your data and destroy your physical sample on request
• Consider whether the benefits of genetic testing outweigh the permanent privacy risks

The Bigger Lesson

The 23andMe breach and bankruptcy exposed a critical gap in how genetic data is protected. Unlike health records covered by HIPAA, consumer genetic data submitted to a private company has limited federal protection. The data can be transferred, sold, or restructured as a business asset during bankruptcy proceedings.

For the nearly 7 million people directly affected by the breach and the millions more whose data changed hands during the bankruptcy sale, the situation underscores a hard truth: once you share sensitive data with a company, your control over that data depends entirely on that company's future decisions, financial health, and security practices.

The best defense is a proactive one. Delete data you no longer need companies to hold. Use strong, unique passwords and two-factor authentication on every account. And take steps to reduce your digital footprint so that when breaches happen -- and they will -- criminals have less information to work with.