1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).
2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.
3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.
When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.
Technically, you could probably get access to and scrape all that data by uploading fake data, or someone else's. It will do very little useful unless you're into genealogy.
If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.
You should also assume your MegaCorp, if you work for one, has also already seen them (in many cases they can buy them from various data brokers or even off the grey market).
I'm not saying this is the way things should be, just things as I know them to be.
DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)
23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)
Can people sue Oprah?
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.
None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?
(disclosure: I am a member of the class, as is most of my family, no other affiliation)
Precedent is everything, the members of the class who drag down expectations for the rest of us are actively committing harm by denying a resolution to our collective claims. Solidarity is the sole responsibility of a class of people.
https://news.ycombinator.com/item?id=38857170
https://news.ycombinator.com/item?id=38857228
https://news.ycombinator.com/item?id=38857476
> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)
> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.
This class action and the £2.3M extracted by a UK regulator sure feels like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach. We are building systems, requiring constant tuning and improvement.
Closing the loop on this provides an immutable case study on this topic.
(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should; if you want better behavior, we need better legal tools to go after corporations for these failures, intentional or not)
Individuals had responsibility when they made these decisions. It is on the courts to make the victims whole, despite the shenanigans around corporate liability limits.
EDIT: I legitimately think that if we _don't_ hold individuals accountable for these sorts of data breaches of the most sensitive data imaginable then there is no sense to legal systems.
EDIT2: Assuming Gemini has any semblance of accurate information, here are some individuals to consider beginning with:
- Anne Wojcicki (Co-Founder, Chair of the Board)
Estimated Net Worth: $150 Million - $270 Million (Note: Her net worth peaked significantly higher when 23andMe's valuation was high, but has been adjusted downward following the company's financial struggles and bankruptcy filing).
Other Known Affiliations: Co-founder and board member of the Breakthrough Prize Foundation. Former wife of Google co-founder Sergey Brin.
Estimated Net Worth: At least $1 Million (based on reported stock holdings as of late 2025).
Other Known Affiliations: Former CFO of WeWork Inc. and NCR Voyix Corp. Serves on the board of Cardlytics.
Estimated Net Worth: At least $18 Million (based on reported stock holdings in late 2025).
Other Known Affiliations: Former CFO of Cloudera Inc. and Ariba. Serves as a Director and Audit Committee Chair for Ansys, Inc.
Estimated Net Worth: At least $12.7 Million - $19.1 Million (Note: Public records show different individuals with similar names and varying net worths; this estimate is based on the director with experience as CFO of RedLeaf, Lattice Semiconductor, and ForeScout, who served as a Director for Lattice Semiconductor Corp and holds a significant position at American Resources Corp).
Other Known Affiliations: Previous Audit Committee Chair for companies like Lattice Semiconductor and ForeScout.
Estimated Net Worth: Not widely disclosed, but as CEO of a major tech platform, his compensation is substantial.
Other Known Affiliations: Chief Executive Officer (CEO) of YouTube.
Estimated Net Worth: $1.5 Billion - $2 Billion (primarily due to his role as a successful venture capitalist).
Other Known Affiliations: Partner at venture capital firm Sequoia Capital.
Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.
Other Known Affiliations: Co-founder and Managing Partner at Xfund.
Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.
Other Known Affiliations: President of Greatland Investment Group; former CFO and Executive Vice President of PG&E Corporation.
Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.
Other Known Affiliations: Former Chief Science Officer and Head of Research and Early Development at Genentech.
Estimated Net Worth: Not widely disclosed; compensation for her director role was reported in 2024.
Other Known Affiliations: CEO of the California Health Care Foundation.
Estimated Net Worth: Not widely disclosed; compensation for her director role was reported in 2024.
Other Known Affiliations: President and CEO of the Morehouse School of Medicine. William Roper: “So, now you give the Devil the benefit of law!”
Sir Thomas More: “Yes! What would you do? Cut a great road through the law to get after the Devil?”
William Roper: “Yes, I'd cut down every law in England to do that!”
Sir Thomas More: “Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!”