23andMe was a household name for many years. People anxiously mailed off their saliva kits for genetic testing, crossing their fingers in the hope of the best. The company made headlines everywhere, making genetic testing exciting and accessible, blending science with personal stories.
However, by 2025, the company was in the news for all the wrong reasons: a significant data breach, consumer lawsuits, bankruptcy, and a dispute over ownership of millions of genetic profiles. Here’s how one of Silicon Valley’s most prominent figures fell so far.
The Data Breach
It all began in 2023 when hackers accessed 23andMe’s data. The company blamed credential stuffing, a technique in which hackers reuse stolen usernames and passwords from other sites to gain access to people’s accounts.
Initially, it seemed diminutive. Only around 14,000 accounts were directly compromised. However, a twist emerged: due to features like DNA Relatives, which allowed users to connect their genetic data to cousins, siblings, or distant relatives, the consequences became more severe. Suddenly, information linked to millions of profiles was exposed. Names, dates of birth, ancestral breakdowns, and even family surnames linked to genetic data were exposed.
Even worse, hackers seemed to target specific groups. Reports showed that “Ashkenazi Jewish and Chinese consumers” were particularly affected. Imagine your family tree chart being stolen and sold on the dark web!
The company’s response? A typical Silicon Valley shrug. 23andMe stressed that it wasn’t a direct system hack, but rather a case of user password reuse. Critics remained unconvinced. Accusing the customers wasn’t a good look, particularly when you’re safeguarding something as delicate as DNA. Security experts asserted that two-factor authentication should have been standard long ago.
Soon, class-action lawsuits began to accumulate. By 2024, the company agreed to a $30 million settlement with angry clients. However, the reputational damage was far worse than the monetary loss. Trust, the one thing you can’t afford to lose when you’re asking people for their genetic code, had been shattered beyond repair.
The Journey to Bankruptcy
Even before the breach, 23andMe’s business model was already under strain. After the initial customer craze, sales of DNA kits dropped. Once you discover you’re 4% Irish and have a tendency to get restless legs, you don’t actually need to keep purchasing tests.
The company attempted to shift its focus to partnerships for medication discovery with pharmaceutical companies. At one point, its valuation even hit $6 billion. However, these big bets did not pay off, and excitement faded. By 2025, the stock price had dropped, and layoffs rolled through the company.
In March 2025, 23andMe filed for Chapter 11 bankruptcy protection. That’s when the truly unpleasant questions started. In bankruptcy court, assets get sold to pay creditors. But what is considered an asset when you’re 23andMe? The lab equipment? Sure. The office chairs? Why not. But what about the genetic information of 15 million clients? Your DNA could end up in another firm or worse, sold to the highest bidder. That possibility terrified regulators, privacy advocates, and customers alike—for good reason.
Customer Fear and Legal Pressure
Several State Attorneys General promptly voiced concerns. California advised users to delete their data before selling, Pennsylvania advised residents to file claims by July, and Missouri issued its own warnings.
A court-appointed privacy ombudsman studied the matter and emphasized that buyers must respect existing privacy policies, inform customers, and maintain safeguards. However, once genetic data becomes public, it cannot be changed. This concern led many to close their accounts.
The Auction Drama
Bankruptcy proceedings set the stage for a bidding fight. Pharmaceutical industry giant Regeneron offered $256 million for 23andMe, promising to protect the company’s private agreements. However, concerns were raised about a drugmaker controlling millions of DNA profiles!
Then, in a move that no one saw coming, co-founder Anne Wojcicki, who had led 23andMe since its beginning, returned with a challenging offer through her nonprofit, the TTAM Research Institute. Her bid, which had initially been lower, later increased to $305 million, surpassing Regeneron’s offer. For Wojcicki, it was more than business; it was an opportunity to reclaim her legacy and establish herself as a protector of customer privacy.
The Return of The Founder
In June 2025, The Guardian reported that the co-owner of 23andMe had won the bid to regain control of the company, and Wojcicki’s nonprofit took official ownership. By that time, 15% of users had deleted their accounts due to a loss of confidence.
Wojcicki promised reforms, including the establishment of a privacy board, the issuance of yearly reports on transparency, and the honoring of removal requests. Instead of prioritizing profits, TTAM focused on ethics and research.
However, state coalitions filed charges to stop the sale, except for the customers who agreed to transmit their genetic data.
The Unsolved Trust Issue
Despite new ownership, one problem persists: DNA, which isn’t like a debit card that can be canceled. It’s you—unchangeable, highly private, and valuable to researchers, insurers, and even governments.
Since 23andMe functioned outside traditional healthcare, it wasn’t bound by HIPAA, the main U.S. health privacy law. Consumers agreed to lengthy terms of service that provided limited options in the event of problems. That gap in protection became evident during the bankruptcy procedure.
Privacy advocates argue that the 23andMe case illustrates the need for a distinct category of legal protection for genetic data, with stringent restrictions on its purchase, sale, or transfer.
What Options Do Clients Have?
- Delete your data if you’re concerned, as TTAM allows removal requests.
- Stay informed about legal developments, as state regulators may enforce new rules.
- Expect greater oversight: legislators are under pressure to make sure this never happens again.
Lessons from the Company’s Collapse
23andMe’s story serves as a cautionary tale. It started as a company that integrated genetic science into daily life, turning spit kits into popular conversation starters. But the data breach, lawsuits, and bankruptcy show that managing DNA requires more than clever marketing; it demands high security and transparency.
The company’s failure also reveals a bigger truth: once you share your personal data, whether it’s your browsing history or genetic information, retrieving it is nearly impossible. Bankruptcy courts treat businesses like balance sheets, not as protectors of personal identity!
Looking into the Future
Under Wojcicki’s nonprofit, 23andMe might rebuild gradually, focusing on research and regaining consumer confidence. However, winning back trust won’t be easy because the damage is already done.
The bigger lesson? Be cautious of where you share your personal information. DNA isn’t just another piece of information; it’s the ultimate identifier. And if 23andMe’s story proves anything, it’s that our DNA deserves more protection!
Therefore, the next time someone gifts you a DNA kit, pause before opening the cap. Your family history may be fascinating, but your privacy is priceless.
