23andMe - The genetic testing company that sold 14 million users' DNA data We warned you. We said: "Don't mail your spit to a tech company." Millions of people did anyway, because the pitch sounded harmless: find cousins, learn ancestry, get a few health hints, maybe discover you are 2% more interesting at parties. Then 23andMe filed for bankruptcy protection in March 2025. Suddenly the most intimate dataset a person can hand over was being discussed like an asset class: customers, samples, traits, research consents, and genetic files wrapped into a sale process. The Asset Class When a company goes bust, creditors get paid. 23andMe did not just have brand equity and lab equipment. It had you. The Data: roughly 15 million customer accounts, with genetic and health data attached to many of them. The Buyer Question: a pharmaceutical company may promise to honor the old privacy policy, but users still have to trust a new owner, a new board, and a new set of business incentives. The Legal Fight: regulators and state attorneys general argued that genetic data should not move without explicit, informed consent. The Forever Leak You can change your credit card. You can change your password. You cannot change your DNA. Once this data is leaked or sold, it is compromised for your entire life. And your children's lives. The 2023 breach already proved the danger. Attackers exposed sensitive profile and ancestry information for millions of users. Even if a company later says the core genotype files were not part of a specific incident, the privacy harm is not theoretical. Genetic services create family-scale exposure: your decision can reveal information about siblings, parents, children, and relatives who never agreed to the test. Deletion Is Not A Time Machine After the bankruptcy, many customers rushed to delete accounts. That is still the right move if you no longer want the service, but deletion is not magic. It may not claw back copies already shared with research partners. It may not erase de-identified research aggregates. It may not undo breach exposure. And users have to trust that the deletion pipeline is complete, audited, and honored during a corporate sale. What Can You Do? Request deletion: Use the account deletion flow and separately request destruction of stored samples if the service offers it. Revoke research consent: Do not assume deleting the account also revokes every optional research permission. Save receipts: Keep screenshots or emails confirming deletion and sample destruction requests. Understand GINA limits: In the US, GINA restricts some health insurance and employment uses, but it does not cover every risk category, including life insurance in many contexts. Warn family: Your DNA is also information about relatives. They deserve to know if their genetic privacy may be affected by your past upload. The Lesson: Biometrics are not usernames. Never give them up.