23andMe is a real genetic testing company that uses legitimate science, and its health reports carry FDA authorization. But “legit” covers a lot of ground, and the full picture includes a major data breach, a bankruptcy filing in 2025, and important limitations on what consumer DNA testing can actually tell you. Here’s what you need to know before deciding whether to use it.
The Science Behind the Test
23andMe uses a method called genotyping, which looks at specific locations in your DNA that are known to vary between people. Think of it like checking particular pages in a book rather than reading the whole thing cover to cover. This is fundamentally different from the full DNA sequencing you’d get through a hospital or genetics clinic, which examines every letter in a stretch of your genetic code.
That distinction matters. Genotyping is well-established science and works reliably for what it’s designed to do: identifying known genetic variants at specific spots. But it can miss variants that full sequencing would catch. If your doctor orders a genetic test for a specific condition, the clinical version will be far more comprehensive than anything 23andMe offers.
For ancestry, 23andMe compares your DNA against reference datasets representing 78 populations worldwide, with over 4,000 country matches and genetic groups in its reports. The company reports precision numbers above 90 percent in its quality control tests, particularly at the continental level. Results get less precise at the regional level, which is why your ancestry percentages can shift slightly when the company updates its algorithm or adds new reference populations.
FDA Authorization for Health Reports
23andMe is the first direct-to-consumer genetic test to receive FDA authorization for health risk reports. That authorization covers a specific list of conditions, including genetic risk factors for late-onset Alzheimer’s disease, Parkinson’s disease, celiac disease, hereditary hemochromatosis (iron overload), and several others. In total, the initial authorization covered ten conditions.
What the FDA authorization does not cover is equally important. It explicitly excludes anything related to how your body processes medications. And while 23andMe later added BRCA1/BRCA2 breast cancer risk reports, the original authorization didn’t include them. Even the BRCA report only tests for three specific variants most common in people of Ashkenazi Jewish descent, while clinical BRCA testing screens for thousands of possible mutations. A negative result from 23andMe does not mean you’re free of BRCA risk.
The FDA authorization essentially means the test does what it claims to do at the specific variants it checks. It does not mean the test is a substitute for medical-grade genetic screening.
The 2023 Data Breach
In 2023, hackers accessed 23andMe accounts using credentials stolen from other websites, a technique called credential stuffing. The breach affected almost 7 million customers worldwide. The compromised data included highly sensitive information: health data, race and ethnicity, details about relatives, dates of birth, and sex at birth. Much of this information was derived directly from customers’ DNA.
The damage spread beyond the accounts that were directly hacked. Because 23andMe has a feature called DNA Relatives that connects you with genetic matches, a single compromised account could expose the names, birth years, locations, and ethnic backgrounds of thousands of genetically linked users who never had their own passwords stolen.
An investigation by the Privacy Commissioner of Canada and the UK Information Commissioner found that it took the company about a month after discovering the breach to disable the raw DNA download feature and require two-factor authentication. 23andMe has since implemented additional security improvements that Canadian regulators considered sufficient to resolve the issue, but the breach highlighted a fundamental risk: genetic data, unlike a credit card number, cannot be changed.
Bankruptcy and the Regeneron Acquisition
23andMe filed for Chapter 11 bankruptcy protection in March 2025 and announced it would voluntarily delist from the Nasdaq stock exchange. The company that was once valued at $6 billion sold for $256 million to Regeneron Pharmaceuticals, a major drugmaker. That deal is expected to close in the third quarter of 2025, pending bankruptcy court approval.
This matters for anyone who has already submitted DNA. Regeneron is acquiring “substantially all” of 23andMe’s assets, which raises questions about what happens to customer data and stored saliva samples under new ownership. If you have a 23andMe account and want to delete your data or request destruction of your sample, doing so before the acquisition closes gives you the most control. The company’s website has options for both.
How Your Data Gets Used Beyond Your Reports
Before the bankruptcy, 23andMe had a major collaboration with pharmaceutical giant GlaxoSmithKline (GSK) that gave the drugmaker access to 23andMe’s genetic databases for drug target discovery and patient recruitment for clinical studies. The databases included genetic sequences, genotype and trait data collected from customers, plus calculated datasets derived from that information.
23andMe maintained that this required customer consent, and users could opt in or out of research participation. But the GSK partnership illustrated what makes genetic testing companies different from other tech companies: the product isn’t just the report you get back. The aggregated genetic data of millions of people has enormous pharmaceutical value, and that value is part of what Regeneron is buying.
What the Test Is Good For
If you’re looking for a broad picture of your ancestral background, 23andMe delivers reasonably accurate results, especially at the continental level. It can confirm family stories, reveal unexpected heritage, and connect you with genetic relatives. Many people have used it to find biological parents or previously unknown siblings.
The health reports can flag that you carry certain well-known genetic variants worth discussing with a doctor. Learning you carry a risk variant for conditions like hemochromatosis or celiac disease could prompt useful follow-up testing. As a conversation starter with your healthcare provider, the reports have genuine value.
Where 23andMe falls short is when people treat results as a diagnosis or, worse, as an all-clear. A clean report doesn’t mean you’re free of genetic risk for any given condition. The test checks specific variants, not your entire genome. For anyone with a family history of cancer, heart disease, or other hereditary conditions, clinical genetic testing through a healthcare provider remains the standard.
Privacy Tradeoffs to Consider
Sending your DNA to any company means trusting that organization with information that is uniquely and permanently yours. With 23andMe specifically, you’re weighing the value of ancestry and health insights against a company that has already experienced a massive breach, gone through bankruptcy, and is transferring its assets to a pharmaceutical company. Your genetic data also indirectly reveals information about your biological relatives, including people who never consented to testing.
If you’ve already tested, you can log into your account and request data deletion and sample destruction. If you’re considering testing for the first time, the science is sound, but the question isn’t really whether 23andMe is “legit.” It’s whether you’re comfortable with the tradeoffs that come with handing over your DNA to a company whose long-term ownership and data policies are in flux.