23andMe Bankruptcy Raises Question: Is DNA Testing Secure?

Before tracing family roots and sharing your data, ask yourself these questions about privacy

Edward C. Baig,

Updated March 24, 2025

AARP

Comments

En español

Published December 06, 2023

/ Updated March 24, 2025

filo/Getty

In this story

21% have taken test • Customers’ data hacked • Not just one company • What are your risks? • Your research is tradeoff • Get family buy-in • Law-enforcement access

If you’re putting together a family tree, curious about your ethnic roots or uncovering potential inherited diseases, submitting DNA samples can help you discover more about yourself.

In January 2025, more than 1 in 5 Americans said they had taken a mail-in DNA test, and 27 percent said a close family member such as a parent, sibling or child had taken one, according to a YouGov survey of nearly 1,200 U.S. citizens, the most recent survey on the topic.

By 2020, more than 30 million people globally had “started a DNA journey,” Ancestry’s then-chief executive, Margo Georgiadis, revealed in a blog post. Yet for all the possible rewards, is the journey safe?

For starters, make sure you’re ready for what you may learn. Families have discovered unpleasant surprises, such as a living or deceased sibling Mom or Dad never mentioned.

Moreover, spitting saliva into a tube or even volunteering ancestral details to fill in gaps about your family’s past and present without surrendering any DNA carries inherent risks, some privacy advocates say.

Con artists look for vulnerabilities in websites

The point was driven home March 23 when genetic testing company 23andMe filed for Chapter 11 bankruptcy protection and co-founder Anne Wojcicki resigned as chief executive. Wojcicki remains on 23andMe’s board of directors and in a post on X, formerly Twitter, announced her intention to bid for the company as it seeks to reorganize under federal court approval.

Beyond recurring business struggles, security concerns have dogged 23andMe for some time and raised consumer questions about the safety of DNA testing overall.

In October 2023, a hacker leaked user data stolen from 23andMe onto an online forum. At that time, 23andMe said the criminal had been able to access just 0.1 percent of accounts — fewer than 14,000 — where usernames and passwords were the same as those on other compromised websites.

23andMe initially said that fewer than 14,000 of its accounts had been hacked. Two months later, the company revised the number to 6.9 million.

But two months later, the company disclosed that the hacker had accessed the profile data of 6.9 million users, roughly half the 23andMe customer base.

Leaked profile data appeared to target Ashkenazi Jews and people of Chinese descent. It contained display names, how recently the users had logged in to their accounts, predicted relationships and the percentage of DNA shared with close matches.

In some instances, it also included birth year, location, links to family trees, profile pictures and other photos. Data apparently was culled from an optional DNA Relatives feature that may help users identify genetic relatives by comparing autosomal chromosomes, the name for humans’ 22 pairs of chromosomes other than the one that determines a person’s biological sex.

As part of its investigation, 23andMe — Israeli internet analytics company Similarweb says that as of March 1 it was the fifth-most-visited ancestry and genealogy site worldwide — disabled and subsequently brought back some DNA Relatives features. Customers were instructed to reset their passwords, and 23andMe now requires all users to employ two-factor authentication to prove they are who they say they are.

This past February, a $30 million class action settlement related to the data breach received preliminary approval. Amid 23andMe’s “reported financial distress,” California Attorney General Rob Bonta urged customers Friday to “delete their data and destroy any samples of genetic material held by the company.”

Other companies’ data is exposed

23andMe is not the only security rupture to muddy in-home DNA testing.

In 2018. MyHeritage, the third-most-visited ancestry site in the U.S., revealed that email addresses and one-way “hashed” passwords of more than 92 million people who used the DNA and genealogy service had been breached. As part of a site’s security features, you often see your own passwords being displayed as a string of six or eight hash marks # or asterisks * when you type your information, no matter how long, on a login screen.

MyHeritage claimed no accounts were compromised since the hackers didn’t have the actual user passwords. The crooks also would need to have access to each customer’s unique hash key to unscramble the data.

In 2023. The Federal Trade Commission (FTC) reached a settlement with 1Health.io, formerly Vitagene, a San Francisco company that sold DNA health test kits to consumers. The agency had charged Vitagene with changing its privacy policy retroactively without notifying or obtaining consent from customers whose data the company had already collected.

The FTC also claimed that Vitagene deceived consumers about their ability to delete their own data. Over a two-year period, the agency said, it warned the company at least three times about storing unencrypted genetic, health and other personal information in publicly accessible data “buckets.” Vitagene has since discontinued its product line.

What are the risks of hacked databases?

Amassing information, not copying DNA. When a person’s exposed data is combined with other known or discovered data, the peril increases. And no one knows how the emergence of artificial intelligence might play a role.

“There is a very real risk of impersonation using personal information stolen from the DNA/genealogy service, as there is with any data breach. But an identity criminal is not going to be able to replicate your DNA,” says James E. Lee, president of the Identity Theft Resource Center in San Diego, which educates consumers on the risks of identity theft.

More convincing scams. With the risk of misusing your DNA extremely low, Lee says, “the most likely use of generative AI at the time is to craft a really believable phishing lure that could trick someone into sharing family or other personal information.”

More privacy breaches. Jennifer King, privacy and data policy fellow at the Stanford University Institute for Human-Centered Artificial Intelligence in California, worries about what could happen to user data in the long run if, say, a genetics company were to go belly-up or be sold to another enterprise that doesn’t provide the same protections.

Suzanne Bernstein, counsel at the Electronic Privacy Information Center (EPIC) in Washington, shares the concern, especially in the absence of federal privacy laws.

“There’s plenty of reasons to do direct-to-consumer genetic testing, and it’s certainly not all bad,” Bernstein says.

No federal protections. But people need to be aware that federal Health Insurance Portability and Accountability Act (HIPAA) privacy safeguards don’t cover these companies, she says. The onus to protect health and other personal information shouldn’t fall on the consumer.

“The burden should be on these companies to implement strong privacy and data security standards,” she says.

The companies offer a mixed bag. A subsequently updated 2021 Consumer Reports investigation revealed that while direct-to-consumer genetic testing companies generally do a relatively decent job of protecting your DNA data, many “over-collect personal information about you and overshare some of your data with third parties.”

How much are you willing to reveal to the public?

Copies can live on. Ancestry customers have the option to create public or private family trees. People who are living are visible only to the tree owner and anyone the tree owner invites to see. If you upload files to a public tree that you later make private or delete, those files may continue to exist on family trees of people who saved them to their trees while your tree was public.

If you share a tree with a relative, you can let the relative contribute to or edit your tree or merely let the person read it without editing privileges. If you are working with cousins, say, and give them the ability to make changes to your tree, you also can decide whether or not they can see other people on the tree who are still alive.

For extreme privacy, Ancestry lets you create an unindexed tree that won’t show up in search results.

Publicity can help your research. Since building out a family tree typically involves detective work, the more you share, the more you may discover. It’s a balancing act.

“You don’t know who inherited the family Bible that has that information you need [or has] a picture of your second great-grandmother that you’ve never seen before,” says Jennifer Utley, director of family history research at Ancestry.

Is your family cool with this?

King recommends asking your kids, grandkids or other relatives if they want to get involved or are OK with you adding them to a family tree. Not everyone will be.

“You have to understand that when you do this, it is not just about you,” King says. “It is also about everyone you’re related to. I think there’s the potential risk to individuals who are either of some high status or net worth, and/or the people who are associated or related to them.”

Flashvector/Getty

Can law enforcement access the DNA?

It depends. Company policies vary on what DNA may be shared with law enforcement.

For its part, 23andMe says, “Unless required to do so by law, we will not release a customer’s individual-level personal information to a law enforcement agency without asking for and receiving that customer’s explicit consent.”

Ancestry’s stance is similar: “DNA data is particularly sensitive, so we insist on a court order or search warrant as the minimum level of due process before we will review our ability to comply with a request. We also seek to put our customers’ privacy first, so we also will try to minimize the scope or even invalidate the warrant before complying.”

The two companies issue transparency reports that list such law enforcement requests. They don’t happen often, but different rules may apply when you spread the data around.

Site gives clues to a murderer. GEDmatch is an online site where you can upload and compare DNA results across several testing sites, including Ancestry, FamilyTree DNA, Living DNA, MyHeritage, tellmeGen and 23andMe. That way, you may find ancestors and genetic matches from a site you have no direct relationship with.

If you’re worried about privacy, you can use an alias and anonymous email address at GEDmatch. But if you opt in, which the company recommends, GEDmatch says law enforcement may use your DNA “to identify perpetrators of violent crimes.”

Sacramento, California–area investigators used GEDmatch to unmask the Golden State Killer in 2018 by studying third cousins. Two years later, Joseph James DeAngelo pleaded guilty to 13 murders and 13 rape-related charges and was sentenced to life in prison without parole. GEDmatch says it began its opt-in policy in May 2019, so all its users now can choose whether to share their information with law enforcement.

“The more information that is gathered and the more widely that it is shared, it’s very hard to control downstream use of that information,” Bernstein says. “And all of this is hard for a consumer to meaningfully control.”

%{postComment}%

This story, originally published Dec. 6, 2023, has been updated to reflect 23andMe’s bankruptcy filing.

Edward C. Baig covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune, and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies. Follow him on LinkedIn; Threads; and X, formerly known as Twitter.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member? Login

Recommended for You

Benefits Recommended For You

See All