23andMe Data Breach: Your DNA, Their Problem
Your password got compromised. Change it. Your credit card got stolen. Cancel it. Your email got hacked. Make a new one.
Your DNA got leaked?
Well. That's permanent.
23andMe just disclosed that hackers accessed data from 6.9 million users—roughly half their customer base. Genetic information. Ancestry details. Health predispositions. Family connections. The kind of data that doesn't just identify you—it identifies your relatives, your descendants, your entire bloodline.
And there's no reset button for that.
How it happened (and why it's worse than you think)
The attack itself was almost mundane. Credential stuffing. Hackers took usernames and passwords leaked from other breaches and tried them on 23andMe accounts. Turns out, people reuse passwords. Shocking, I know.
But here's where it gets interesting: even if your password was unique and secure, you might still be compromised. Because 23andMe has this feature called "DNA Relatives" that lets you connect with people who share your genetic markers.
So if your cousin used "password123" and got compromised? The attacker now has access to your genetic information too. Through no fault of your own, your DNA data is now in the hands of whoever bought it off a hacking forum.
You can't control other people's password hygiene. But their poor security practices can still expose your most intimate personal data.
That's not a security failure. That's a fundamental architectural problem with centralized databases of immutable personal information.
The data you can never take back
When your credit card number gets stolen, it's annoying. But you call the bank, they issue a new number, and you move on with your life. The old number becomes worthless.
When your DNA data gets stolen, it's yours forever. You can't get a new genome. You can't revoke access to your genetic markers. That information is now out there, permanently, irrevocably.
And it's not just about you. Your DNA reveals information about your parents, your siblings, your children. Everyone who shares genetic material with you is partially compromised by your data breach.
This is the dark side of genetic testing. You're not just sharing your privacy—you're sharing your family's privacy, potentially across generations. Your great-great-grandchildren might have to deal with the consequences of you sending in a saliva sample in 2023.
Think about that.
What even is genetic data worth?
You might be wondering: why would hackers want genetic data? It's not like they can use your DNA sequence to buy stuff online.
Oh, but they can do so much worse.
Insurance companies would love to know about your genetic predispositions. Employment discrimination based on health risks is illegal... until it's not. Law enforcement can use familial DNA searches. Foreign intelligence agencies can build databases of genetic information for who-knows-what purposes.
And we're just scratching the surface. As our understanding of genetics improves, the value and potential misuse of this data only increases. What seems harmless now might be weaponizable in ten years.
The point is: genetic data is uniquely sensitive and uniquely permanent. And we're trusting private companies to protect it forever, despite a track record that suggests they can barely protect it for a fiscal quarter.
The hubris of centralization
Here's what really bothers me about 23andMe and companies like it: they've convinced millions of people to hand over the most personal data imaginable and store it in a centralized database.
Not on your computer. Not on a hard drive you control. On their servers, in their cloud, subject to their security practices and their business decisions.
And in return, you get... what? A report about whether you're likely to have attached or detached earlobes? An approximation of your ancestry that changes every time they update their algorithms?
The entire model is backwards. You generate the data. You should own it. It should live on your devices, encrypted with keys only you control. If you want to share it with researchers or genealogy databases, you should make that choice, temporarily, revocably.
Instead, you mail off your spit, and it becomes part of a permanent, centralized honey pot for hackers and a goldmine for whoever ends up owning the company after the inevitable acquisition or bankruptcy.
When backups make everything worse
Here's a fun thought: 23andMe almost certainly has backups of this data. Good backups, probably. Multiple copies in different locations, with retention policies measured in years.
Which means even if they wanted to delete your data after this breach, they probably can't completely erase it. It's in backup systems. In offline archives. In disaster recovery sites.
The very practices that protect against data loss ensure that your leaked genetic information will persist in 23andMe's infrastructure for years. The backups that were meant to protect you have become a liability.
This is the paradox of sensitive data in the cloud. The more robust and comprehensive the backup strategy, the harder it is to truly delete information when it becomes toxic.
Data sovereignty starts at home
The 23andMe breach is a stark reminder that some data is too sensitive to trust to third parties, no matter how convenient their service is.
Your DNA. Your medical records. Your financial history. Your private communications. These shouldn't live in someone else's cloud database, subject to their security failures and business pressures.
I'm not saying you should never use online services. But you need to be realistic about the risks. Every piece of data you upload is a permanent record that could be breached, subpoenaed, sold, or used against you.
For truly sensitive information, the only safe place is on storage you physically control. Encrypted. Offline. With backups that you manage according to your own risk tolerance.
Yes, it's less convenient. You can't access it from anywhere. You have to think about your own security instead of trusting someone else's.
But "convenient" isn't very comforting when your genetic data is being sold on hacking forums.
The privacy you can't get back
The saddest part of this breach is that the affected users can't undo it. Their genetic information is out there now. It'll be traded, sold, analyzed, and archived by who-knows-whom for who-knows-what purposes.
And 23andMe will offer credit monitoring or something equally useless as compensation. Because what else can they do? They can't give people new DNA.
This is the endgame of our "upload everything" culture. We've normalized the idea that our most personal information should live in corporate databases, protected by terms of service and security practices we have no control over.
And when—not if, when—those databases get breached, we act surprised. As if this wasn't the inevitable outcome of centralizing the world's private information in a handful of companies running on venture capital fumes and hoping to exit before the security bill comes due.
Your data. Your control. Your responsibility.
Don't let someone else's infrastructure problems become your permanent privacy nightmare.
—Glad I never sent in my DNA sample