If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.

1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).

2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.

3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.

When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.

DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)

23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)

None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?