If a password leaks, you change it. If a credit card number leaks, the bank issues a new one. If your genetic code leaks, there is no new version to issue — it’s the one you’ll have for the rest of your life, and it’s shared, in part, with your biological relatives whether they ever used the service or not.
That’s the uncomfortable core of the 23andMe story, which has continued to unfold through 2026 with new lawsuits and a contested asset sale. It’s a story about a data breach, a bankruptcy, and a sale of genetic data as a corporate asset — and it raises questions that apply far beyond DNA testing, to any service that holds data about you that can’t be reset once it’s out.
What Actually Happened
In 2023, 23andMe suffered a breach using credential-stuffing — attackers used passwords leaked from other websites to log into 23andMe accounts that reused those passwords. The attackers were inside the systems for roughly five months, directly compromising around 14,000 accounts. But because of 23andMe’s “DNA Relatives” feature, which connects users to genetic relatives on the platform, that initial access allowed attackers to scrape data connected to nearly 7 million people — most of whom had never had their own account compromised.
23andMe settled a related class action for $30 million in 2024. Then, in March 2025, the company filed for Chapter 11 bankruptcy. As part of the bankruptcy proceedings, 23andMe sold most of its assets — including the genomic data of more than 15 million customers — to TTAM Research Institute, a nonprofit founded by 23andMe’s former CEO.
Multiple state attorneys general, including California’s, opposed the sale on the grounds that it violated state genetic information privacy laws, arguing that customers who provided their DNA to one company under one set of privacy commitments shouldn’t have that data transferred to a different entity as part of a bankruptcy sale. A federal bankruptcy judge approved the sale anyway. The states are appealing. In May 2026, California’s Attorney General separately sued the new ownership entity over the original 2023 breach, alleging the security failures that enabled it were never adequately addressed.
Why This Is Different From a Typical Data Breach Story
Most “company collapses, what happens to your data” discussions focus on a familiar set of risks: account access, stored payment methods, files you forgot to export. Those are real concerns, but they share one feature — the data is, in principle, replaceable. You can close an account, get a new card, re-upload files elsewhere.
Genetic data breaks that pattern in three specific ways:
It cannot be changed. Your genome is fixed. If it’s exposed, there’s no equivalent of a password reset. Any inference that can be drawn from it today — about ancestry, health predispositions, or identity — remains drawable for the rest of your life, and the rest of your relatives’ lives.
It implicates people who never consented. Because DNA is shared with biological relatives, a breach or sale of your genetic data has implications for parents, children, and siblings who may never have used the service, never signed its terms of service, and never had a say in the matter.
It can be sold as an asset, separate from the breach. The 2023 breach and the 2025 bankruptcy sale are two different events with two different mechanisms. The breach was unauthorized access. The sale was a legal transfer of ownership of the same underlying data, executed through bankruptcy court — a process that exists specifically to let creditors recover value from a failed company’s assets, and that treats customer data as one of those assets unless specific laws say otherwise.
That last point is the one with the broadest implications. Bankruptcy law generally treats a company’s data about its customers as part of its sellable estate. Privacy policies promise things like “we will never sell your data” — but those promises were made by a company that, this argument goes, may not exist in the same form tomorrow. The promise was made by an entity; the data outlives the entity.
”Delete My Data” Gets Complicated Mid-Bankruptcy
23andMe’s privacy policy, like most, included provisions for users to delete their data and accounts. In the period around the bankruptcy filing, many users rushed to do exactly that — delete their genetic data before any sale could go through.
But a deletion request submitted to a company in Chapter 11 proceedings raises a genuinely murky question: does a deletion request override an asset sale that’s already part of a court-supervised bankruptcy process? Does deleted data still count as part of the estate if backups exist? These aren’t questions most privacy policies were written to answer, because most privacy policies were written assuming the company would continue operating normally.
The practical lesson is sobering: the right to delete your data is only as durable as the legal and financial stability of the company holding it. A right that’s meaningful when a company is a healthy, ongoing business can become genuinely ambiguous the moment that company enters bankruptcy — exactly the moment when, intuitively, people most want to exercise it.
What This Means for Data That Isn’t DNA
Genetic data is the most extreme example, but the underlying dynamic — irreversible personal data, held by a company whose long-term existence isn’t guaranteed — applies to other categories too:
Biometric data (face scans, fingerprints, voice prints) shares the “can’t be reset” property with DNA, even if it doesn’t implicate relatives the same way.
Years of personal photos and documents aren’t biologically irreversible, but they’re practically irreversible in a different sense: if a company holding your only copy of a decade of family photos goes bankrupt and shuts down with insufficient notice, “delete my data” isn’t the operative question — “did I get my data back before it disappeared” is.
Health and medical data combines aspects of both — it can reveal things about you that don’t change (genetic predispositions) and things that are deeply personal regardless of whether they’re “resettable.”
The common thread: before trusting any service with data in these categories, it’s worth asking not just “what’s their privacy policy today” but “what happens to this data if the company doesn’t exist in five years” — a question privacy policies rarely answer, because it requires the company to imagine its own demise.
Where daftei Fits
daftei doesn’t deal in genetic or biometric data — it’s personal file storage for photos, documents, voice notes, and the records of your life that you choose to keep. But the structural lesson from 23andMe applies directly to how daftei approaches the data it does hold.
Deletion is designed to mean something. When you delete your daftei account, there’s a 30-day grace window — enough time to change your mind — after which deletion is permanent and irreversible. That’s a deliberate design choice: a deletion right that can’t later be reinterpreted as “well, the data was already part of a sale” because there’s no ambiguity about what “permanent and irreversible” means.
Your data is never positioned as a sellable asset. daftei’s revenue comes from subscriptions — 5 GB free, unlimited on Pro at $5.99/month (₹249/month in India), with annual and lifetime options. The business doesn’t depend on monetizing what you store, which means there’s no scenario where your files become more valuable to daftei as a dataset than as a reason for you to keep paying for storage.
Encryption and compliance are the baseline, not a feature. Files are encrypted in transit with TLS 1.3 and at rest with AES-256, and daftei is GDPR and CCPA compliant — frameworks that, like the genetic privacy laws cited in the 23andMe case, exist specifically to give people enforceable rights over data about them.
No company can promise it will exist forever, and no privacy policy can fully resolve what happens in a bankruptcy court. But the categories of risk are different depending on what’s being stored — and being deliberate about which categories of irreplaceable personal data you hand to which services is a decision worth making consciously, rather than by default.
The Question Worth Asking
When 23andMe customers signed up, the value proposition was learning about their ancestry and health — a fun, low-stakes-feeling exchange of a cheek swab for some interesting reports. Few people, at the time, were thinking about what would happen to that genetic data a decade later, through a corporate bankruptcy they had no part in.
The lesson isn’t “never use a DNA testing service” or “never trust any company with personal data.” It’s that some data — genetic, biometric, the irreplaceable record of years of your life — deserves a higher bar than “their privacy policy looks fine today.” The right question is what happens to it if the company doesn’t make it, because for some categories of data, that’s the scenario where the stakes are highest and the protections are least tested.
See how daftei handles your data — for as long as you’re here, and clearly if you ever leave