All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
23andMe can be a powerful tool for discovering your lineage or finding an unknown, long-lost sibling. However, in exchange for this information, you must provide significant personal information, including your DNA.
In October 2023, the ancestry company reported a data breach that jeopardized millions of accounts. The 23andMe data breach is unique because only 14,000 accounts were breached, but by accessing those accounts, the threat actor accessed 5.5 million DNA Relatives profiles and 1.4 million Family Tree feature profiles. Both the DNA Relatives and Family Tree feature profiles give access to personal information to family members found on the 23andMe platform.
Whether you’re a current 23andMe user or are considering using the platform, you should understand how the 2023 data breach and future data breaches may affect you. Equally important is learning how to remove your personal information from 23andMe or other platforms through one of the best data removal services.
Before sending in your sample, let’s answer, “Does 23andMe keep my data safe?”
The 23andMe 2023 data breach explained
How 23andMe works
FAQs
Bottom line
Does 23andMe keep your data safe?
Following a data breach, companies need to notify customers whose information may have been compromised and find solutions to help protect users in the future. After the 2023 data breach, 23andMe improved its systems to help keep user data safe. One improvement the company made requires all new and existing customers to enable two-factor authentication.
23andMe outlines how it protects your data through a robust privacy page. On its privacy page, 23andMe says it does not share genetic data with third-party marketers, insurance companies, or employers without consent. The company has also received three separate ISO certifications based on audits by independent third-party companies. 23andMe attained those certifications in 2019 and 2020.
As part of its data policy, 23andMe also makes it easy for users to download personal data, remove their accounts, or have their DNA samples discarded.
23andMe’s privacy policies explained
It can be hard to decipher a company’s privacy policy and understand its meaning. That’s not the case with 23andMe. The company does a good job explaining its privacy policy in several different ways to make it easier to understand.
When you provide a DNA sample to 23andMe, you can opt-in to certain aspects of the service. Users can decide whether they want to be involved in DNA Relatives and other connections, whether they want their DNA sample stored or destroyed, and whether they want to participate in ongoing research.
23andMe uses personal information to provide the services users purchase, set up and maintain user accounts, and develop new products and features.
When it comes to sharing your information, 23andMe does not share user data with public databases, insurance companies, employers, or law enforcement without a court order, subpoena, or search warrant.
The 23andMe 2023 data breach explained
Data breaches aren’t uncommon in the digital age and can happen to any company. In the case of 23andMe’s October 2023 breach, the data was exposed through credential stuffing. Bad actors used previously exposed login information for around 14,000 23andMe customers.
Credential stuffing gave the bad actors access to a small subset of 23andMe customers. Credential stuffing refers to using previously exposed credentials to access other websites. (Pro tip: Using a random password generator can help protect against credential stuffing.)
Once the exposed accounts were breached, all of this information became available to them, jeopardizing 5.5 million additional accounts. The data breach also exposed 1.4 million accounts that were connected to the compromised accounts through 23andMe’s Family Tree feature.
2023 security measures now and then
Companies in the United States are required to notify those affected following a data breach. After 23andMe discovered the breach, the company took action to protect the compromised accounts.
Initially, 23andMe required all compromised accounts to reset passwords and required them to enable multi-factor authentication. Shortly after, 23andMe also temporarily disabled features inside the DNA Relatives tool.
After completing its investigation into the breach, 23andMe required that all users update their passwords and began requiring two-step verification for all accounts. 23andMe users can easily update their privacy and sharing settings inside their accounts.
The best data removal services for 23andMe users
If you’re concerned about your personal information being available online, a simple way to mitigate the risk is through a data removal service. A data removal service can make requesting that your information be removed from company databases easier. Here are a few of the best data removal services available.
- DeleteMe: With DeleteMe, you submit your information, and DeleteMe’s experts search online for your data. The company removes any data found during its search and works to remove additional mentions every three months. DeleteMe offers plans starting at $8.60/mo (billed annually). You can also purchase a plan for two people for a discounted rate.
Get DeleteMe | Read DeleteMe Review
- Incogni: On your first day using Incogni, the data removal company begins requesting removal from its list of data brokers. The company also requests the removal of new instances of your information. Incogni is available for as low as $7.49/mo (billed annually) (billed annually).
Get Incogni | Read Incogni Review
- Optery: Optery is a data removal option that can help you purge the internet of your personal information. It offers a free exposure report that details the personal information found online. If you purchase a service with Optery, it can help you remove those instances found in the exposure report. Optery offers several different plan types, ranging from Free–$24.99/mo.
Get Optery | Read Optery Review
How 23andMe works
23andMe is a genetic testing service that uses a saliva sample to determine your DNA. After sending in your sample, you can learn more about your ancestry, find unknown family members, and gain insight into genetic health risks, carrier status, and wellness traits.
One popular use case of 23andMe is discovering new or unknown relatives. 23andMe determines relatives based on a percentage of shared DNA. For example, if you share 25% of shared DNA with someone, they could be your uncle, half-sibling, or grandparent.
Once you’ve submitted your DNA to 23andMe, you can continue to receive updates on newly discovered relatives. As more people use the service, there will be more opportunities to find connections.
FAQs
Can 23andMe sell your DNA?
According to the company’s privacy policy, 23andMe does not sell genetic or personal information.
What are the controversies with 23andMe?
Since the beginning, 23andMe has faced controversies surrounding the safety of user information. The data breach in 2023 reignited these concerns. The company also updated its terms of service, specifically the dispute resolution and arbitration section. This updated verbiage removes the right of individuals to sue 23andMe and requires users to go through mediation for disputes.
Is 23andMe confidential?
Yes, 23andMe is confidential. The company does not share personal information with public databases or third-party marketers. Users can also limit with whom information is shared or remove it completely.
Does the FBI have access to 23andMe?
The FBI does not have direct access to 23andMe. The company also states that 23andMe only shares user information with law enforcement with a court order, subpoena, or warrant.
What are the disadvantages of 23andMe?
While 23andMe can offer important information to its users, its accuracy is limited. Even if the information is accurate, 23andMe could highlight some unsettling information, including unknown family members or genetic markers for diseases.
How accurate is the 23andMe test?
23andMe offers several different types of genetic testing, each with varying levels of accuracy. The Genetic Health Risk and Carrier Status reports meet the FDA analytical and clinical validity requirements. For ancestry testing, 23andMe divides accuracy into five different thresholds: 50%, 60%, 70%, 80%, and 90%. For example, if the ancestry determination is at the 80% threshold, there is a 20% chance that it could be inaccurate.
Bottom line
23andMe provides valuable information to individuals who want more insight into their ancestry, understand possible genetic dispositions, and more. However, providing your DNA and personal information can jeopardize this critical data. Even though 23andMe experienced a data breach in 2023, the company took immediate steps to add extra layers of protection — including requiring two-factor authentication.
Based on its privacy policy and overall efforts, 23andMe appears to take data privacy and protection seriously. The company also makes it easy to remove your data from its database at any time. If you’re worried about exposing your personal information online, you can use one of the best data removal services to simplify asking companies to delete your personal information.