What exactly’s going on with 23andMe?

23andMe is facing scrutiny, with some experts calling it the beginning of the end for the popular genetic testing company. It’s been a rocky year for the saliva-based DNA testing brand, including a high-profile data breach and resignations from the company’s board last month.

Users are wondering what’s next — and if their personal data (including their literal DNA) are safe.

Here’s what we know.

In October 2023, 23andMe launched an investigation after a “threat actor” claimed to have obtained millions of users’ personal data.

By December, the company confirmed through a filing with the Securities and Exchange Commission that a hacker directly accessed 0.1% of its users’ accounts, or about 14,000 profiles. Still, because of the networks individual users can build, connecting their information to other possible relatives, the hacker was able to view the information of millions of users.

A spokesperson for the company told news outlets at the time that 6.9 million people had been affected: about 5.5 million customers who had opted into 23andMe’s “DNA Relatives” feature and 1.4 million users whose family tree information was accessed.

Information accessed included:

The company added that an additional 1.4 million customers who used the “DNA Relatives” feature had their “Family Tree” profiles accessed, which includes a limited subset of profile data.

23andMe said at the time that the hacker activity was contained and required existing users to reset their passwords and enable multifactor authentication for logging in.

The issue resulted in a class-action lawsuit that was filed in January and settled this month.

As part of the settlement, 23andMe admitted to no wrongdoing and agreed to pay $30 million to affected parties, including up to $10,000 to people who experienced significant losses, like identity theft, as a result of the breach.

The settlement will affect the millions of users whose data were targeted in the leak. In order to qualify, an affected 23andMe user must have been a U.S. resident on Aug. 11, 2023.

As of publication time, there’s no way to submit a claim to be a part of the settlement. Affected users will need to visit the 23andMe settlement website and enter their information when it becomes available, according to Forbes. The site will offer an online claim form and a downloadable PDF version if you prefer to submit by mail.

The entire 23andMe board of independent directors resigned last month, a rare move in the business world that experts say foreshadows an unstable situation.

The seven directors said in a letter addressed to 23andMe cofounder and CEO Anne Wojcicki that they had not received a plan regarding the company’s future that inspired confidence.

Wojcicki previously expressed a desire to take 23andMe private, which sparked concern among the board members.

“While we continue to wholeheartedly support the Company’s mission and believe deeply in the value of the personalized health and wellness offering that you have articulated, it is also clear that we differ on the strategic direction for the Company going forward,” the letter said. “Because of that difference and because of your concentrated voting power, we believe that it is in the best interests of the Company’s shareholders that we resign from the Board rather than have a protracted and distracting difference of view with you as to the direction of the Company.”

Wojcicki responded to the resignations through an employee memo in which she expressed her “surprise” and disappointment in the directors’ decision. She added that she still believed taking 23andMe private was the best option, but clarified that she isn’t considering third-party takeover proposals.

Wojcicki said she would identify new directors to join the board. She remains the only board member listed on the company’s website.

Experts say 23andMe users’ data are no more at risk today than it has ever been, but added that customers should review the company’s privacy policies and think about which data are available and where they want them shared.

Customers can consent to 23andMe sharing their anonymized genetic information with third-party companies for various reasons, including medical research. Experts told CBS that this type of data sharing can come with vulnerabilities, but that they are not unique to 23andMe.

About 80% of 23andMe customers consent to participate in the company’s research program, which has generated nearly 300 peer-reviewed publications regarding genetic insights into disease, the company said.

Still, users became more concerned when Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, raised flags about the company in a social media post.

“If you have a 23andme account, today is a good day to log in and request the deletion of your data,” she wrote on X.

To delete an account, users can log in and go to the Account Settings tab. Users will go through the prompts and identity verification before getting an email asking for confirmation to delete the account. Deleting an account is irreversible.

However, deleting an account doesn’t necessarily delete all of a user’s personal information associated with it. The company plans to hang on to some genetic information and personal details including sex, birthday, email address, and details about the account’s deletion request, MIT Technology Review reported.

For users who opted into sharing anonymized genetic data with third parties, there is no way to delete the information or retract what has already been shared.

All online DNA testing services come with some privacy concerns, but legal guidelines to regulate personal data serve as a safeguard. For some users looking for answers to health mysteries or to find missing links to their family trees, the trade-off is worth it.

Because of 23andMe’s uncertain future, review sites like the New York Times’ Wirecutter have stopped recommending the service in its DNA testing roundups.

The review site recommends AncestryDNA and FamilyTreeDNA as alternatives.