🔒Privacy

23andMe breach — my DNA data is out there and I'm freaking out about identity theft

Genetic and ancestry data exposed in the 23andMe breach

6 min readUpdated Feb 2026

You just found out your genetic data was part of the 23andMe breach, and your brain is going to worst-case scenarios. Someone has your DNA information. Your ancestry details. Maybe health predispositions. The stuff that's literally hardcoded into your biology — and you can't change it like a password.

Take a breath. Your DNA data being exposed is a real privacy violation, but the actual risks are different from what most people assume. This isn't like a stolen SSN where someone can drain your bank account tomorrow. The dangers are more subtle — and in some ways, more long-term.1

ℹ️

DNA data ≠ identity theft data

Your genetic information cannot be used to open credit cards, access bank accounts, or steal your identity in the traditional sense. The risks are real but different — discrimination, privacy erosion, and social engineering. Don't let panic push you into paying for services you don't need.

What Actually Happened in the 23andMe Breach

The 23andMe breach wasn't a sophisticated hack. Attackers used credential stuffing — taking usernames and passwords leaked from other breaches and trying them on 23andMe accounts. About 14,000 accounts were directly compromised this way.2

But here's what made it massive: the DNA Relatives feature. When attackers got into those 14,000 accounts, they could see the genetic relative profiles connected to each one. That cascading exposure affected approximately 6.9 million users — nearly half of 23andMe's customer base. Even if your password was strong, if a relative with a weak password had you in their DNA Relatives list, your data was exposed.

↑6.9M

User profiles exposed via DNA Relatives

14,000

Accounts directly compromised

$30M

Class action settlement (2024)

What Data Was Actually Exposed

For directly compromised accounts: Display names, birth year, ancestry results, DNA relative connections, family tree details, self-reported location, and health predisposition reports.

For DNA Relatives connections: Display names, predicted relationships, percentage of shared DNA, ancestry reports, self-reported location, birth year, family names, and profile photos.

What was NOT exposed: Raw genetic data files (your actual genome sequence), payment information, or SSNs. The stolen data was profile-level information, not the underlying genetic code.

⚠️

Targeted groups faced disproportionate risk

Attackers specifically targeted and compiled data on users of Ashkenazi Jewish and Chinese descent. If you belong to either group, your data may have been packaged in targeted data sets, increasing the risk of discrimination or social engineering.

Realistic Risk Assessment

Low risk — traditional identity theft: Your DNA data can't be used to open credit cards or access financial accounts.

Medium risk — social engineering: Knowing your ethnic background, family connections, and health concerns gives scammers material for highly targeted phishing.

Medium risk — insurance discrimination: GINA protects against health insurance and employment discrimination based on genetic data, but does NOT cover life insurance, disability insurance, or long-term care insurance.

Higher risk — privacy erosion: Ethnicity, health predispositions, and family relationships combined create a detailed profile that could be sold to data brokers who aggregate it with other leaked datasets.

Longer-term risk: Unlike a password or credit card, you can't change your DNA. This exposure is permanent.

The GINA Act — What It Does and Doesn't Protect

GINA protects you from:
- Health insurers using genetic information to deny coverage or set premiums
- Employers using genetic information in hiring, firing, or promotion decisions

GINA does NOT protect you from:
- Life insurance companies using genetic data to deny policies or increase premiums
- Disability insurance discrimination
- Long-term care insurance decisions based on your genetic profile
- Companies with fewer than 15 employees3

💡

Check your state laws — some go further than GINA

California, Florida, and several other states have genetic privacy laws that extend protections beyond GINA. California's CCPA/CPRA classifies genetic data as sensitive personal information, giving you the right to request deletion.

What You Should Do Right Now

Immediate action plan

Opt out of DNA Relatives immediately

Log into your 23andMe account → Settings → Privacy → turn off DNA Relatives. This won't undo what was exposed, but prevents further cascading exposure.

Download your data, then request deletion

Download a copy for your records, then submit a data deletion request through account settings. Under CCPA or your state's privacy law, they must comply. 23andMe says deletion includes destruction of your physical saliva sample.

Consider deleting your account entirely

Given that 23andMe filed for bankruptcy in early 2025 and its assets (potentially including your genetic data) could be acquired by another company, deleting your account before any acquisition is the safest move.4

Change your password and enable 2FA

Change your 23andMe password to something unique. More importantly, change this password anywhere else you've reused it — credential stuffing only works because people reuse passwords.

Lock down your data broker profiles

Your genetic ancestry and ethnicity data may already be aggregated with other personal data by data brokers. People-search removal from major brokers like Spokeo and BeenVerified limits the combined profile available about you.

We help breach victims scrub exposed data from the web, remove data broker profiles, and set up ongoing monitoring so you know if your information surfaces again.

Get Help With Breach Response →

Insurance Implications

Health insurance: You're protected by GINA. Health insurers cannot use genetic data against you.

Life insurance: If you don't currently have a policy and your genetic data shows predispositions for serious conditions, consider applying sooner rather than later. Life insurers are not bound by GINA.

Long-term care and disability insurance: Same gap as life insurance. If these policies are on your radar, don't wait.

The honest reality: No insurer is going to dig through breach data dumps to find your 23andMe profile. The greater risk is the slow normalization of genetic data in underwriting over the coming years.

The Bigger Picture

23andMe's bankruptcy filing in 2025 raised the stakes further. When a company holding genetic data goes bankrupt, that data becomes a business asset that can be sold. The California Attorney General issued guidance urging users to delete their data before any acquisition — an extraordinary step.5

This is why genetic privacy is fundamentally different from other breaches. A stolen password can be changed. A stolen credit card can be replaced. Your DNA is permanent. Whatever was exposed will remain accurate about you for the rest of your life. If your breach data is being combined with data broker profiles, consider a free reputation report to see what's out there.

Frequently Asked Questions

Free Resource

23andMe Breach Response Guide

Step-by-step walkthrough: data deletion, DNA Relatives opt-out, state privacy law rights, insurance protection timeline, and data broker removal checklist.

Get the Free Guide

Sources & Citations

1
23andMe SEC filing (October 2023): Disclosure of credential stuffing attack affecting approximately 14,000 accounts directly and 6.9 million users through the DNA Relatives feature. SEC / 23andMe ↗
2
TechCrunch reporting on the 23andMe breach scope, credential stuffing methodology, and targeted data scraping of Ashkenazi Jewish and Chinese descent users. TechCrunch ↗
3
National Human Genome Research Institute: Overview of the Genetic Information Nondiscrimination Act (GINA) protections and limitations. NIH / NHGRI ↗
4
California Attorney General guidance urging 23andMe users to delete genetic data ahead of potential bankruptcy acquisition (March 2025). California Attorney General ↗
5
Electronic Frontier Foundation analysis of genetic privacy risks and the permanent nature of DNA data exposure in consumer testing breaches. Electronic Frontier Foundation ↗