Is 23andMe Safe? DNA Insights vs. Data Privacy

23andMe is a DNA genetic testing service that allows everyday people access to their health and ancestry data. But after a 2023 data breach, many are wondering whether the DNA insights are worth the cost of their privacy.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

23andMe can be a powerful tool for discovering your lineage or finding an unknown, long-lost sibling. However, in exchange for this information, you must provide significant personal information, including your DNA.

In October 2023, the ancestry company reported a data breach that jeopardized millions of accounts. The 23andMe data breach is unique because only 14,000 accounts were breached, but by accessing those accounts, the threat actor accessed 5.5 million DNA Relatives profiles and 1.4 million Family Tree feature profiles. Both the DNA Relatives and Family Tree feature profiles give access to personal information to family members found on the 23andMe platform.

Whether you’re a current 23andMe user or are considering using the platform, you should understand how the 2023 data breach and future data breaches may affect you. Equally important is learning how to remove your personal information from 23andMe or other platforms through one of the best data removal services.

Before sending in your sample, let’s answer, “Does 23andMe keep my data safe?”

4.9
Editorial Rating
Learn More
On DeleteMe's website
Privacy Protection
DeleteMe
  • Removes your data from the web to avoid scams, spam and stalkers
  • 100+ million successful opt-out removals
  • Provides continued removals every three months

In this article
Does 23andMe keep your data safe?
The 23andMe 2023 data breach explained
How 23andMe works
FAQs
Bottom line

Does 23andMe keep your data safe?

Following a data breach, companies need to notify customers whose information may have been compromised and find solutions to help protect users in the future. After the 2023 data breach, 23andMe improved its systems to help keep user data safe. One improvement the company made requires all new and existing customers to enable two-factor authentication.

23andMe outlines how it protects your data through a robust privacy page. On its privacy page, 23andMe says it does not share genetic data with third-party marketers, insurance companies, or employers without consent. The company has also received three separate ISO certifications based on audits by independent third-party companies. 23andMe attained those certifications in 2019 and 2020.

As part of its data policy, 23andMe also makes it easy for users to download personal data, remove their accounts, or have their DNA samples discarded.

23andMe’s privacy policies explained

It can be hard to decipher a company’s privacy policy and understand its meaning. That’s not the case with 23andMe. The company does a good job explaining its privacy policy in several different ways to make it easier to understand.

23andMe updated privacy choices
23andMe updated privacy choices

When you provide a DNA sample to 23andMe, you can opt-in to certain aspects of the service. Users can decide whether they want to be involved in DNA Relatives and other connections, whether they want their DNA sample stored or destroyed, and whether they want to participate in ongoing research.

23andMe uses personal information to provide the services users purchase, set up and maintain user accounts, and develop new products and features.

When it comes to sharing your information, 23andMe does not share user data with public databases, insurance companies, employers, or law enforcement without a court order, subpoena, or search warrant.

The 23andMe 2023 data breach explained

Data breaches aren’t uncommon in the digital age and can happen to any company. In the case of 23andMe’s October 2023 breach, the data was exposed through credential stuffing. Bad actors used previously exposed login information for around 14,000 23andMe customers.

Credential stuffing gave the bad actors access to a small subset of 23andMe customers. Credential stuffing refers to using previously exposed credentials to access other websites. (Pro tip: Using a random password generator can help protect against credential stuffing.)

Once the exposed accounts were breached, all of this information became available to them, jeopardizing 5.5 million additional accounts. The data breach also exposed 1.4 million accounts that were connected to the compromised accounts through 23andMe’s Family Tree feature.

23andMe Family Tree feature
23andMe Family Tree feature

2023 security measures now and then

Companies in the United States are required to notify those affected following a data breach. After 23andMe discovered the breach, the company took action to protect the compromised accounts.

Initially, 23andMe required all compromised accounts to reset passwords and required them to enable multi-factor authentication. Shortly after, 23andMe also temporarily disabled features inside the DNA Relatives tool.

23andMe disabled some DNA Relatives features
23andMe disabled some DNA Relatives features

After completing its investigation into the breach, 23andMe required that all users update their passwords and began requiring two-step verification for all accounts. 23andMe users can easily update their privacy and sharing settings inside their accounts.

23andMe in-app privacy and sharing settings
23andMe in-app privacy and sharing settings

The best data removal services for 23andMe users

If you’re concerned about your personal information being available online, a simple way to mitigate the risk is through a data removal service. A data removal service can make requesting that your information be removed from company databases easier. Here are a few of the best data removal services available.

  • DeleteMe: With DeleteMe, you submit your information, and DeleteMe’s experts search online for your data. The company removes any data found during its search and works to remove additional mentions every three months. DeleteMe offers plans starting at $8.60/mo (billed annually). You can also purchase a plan for two people for a discounted rate.

    Get DeleteMe | Read DeleteMe Review
  • Incogni: On your first day using Incogni, the data removal company begins requesting removal from its list of data brokers. The company also requests the removal of new instances of your information. Incogni is available for as low as $7.49/mo (billed annually) (billed annually).

    Get Incogni | Read Incogni Review
  • Optery: Optery is a data removal option that can help you purge the internet of your personal information. It offers a free exposure report that details the personal information found online. If you purchase a service with Optery, it can help you remove those instances found in the exposure report. Optery offers several different plan types, ranging from Free–$24.99/mo.

    Get Optery | Read Optery Review

How 23andMe works

23andMe is a genetic testing service that uses a saliva sample to determine your DNA. After sending in your sample, you can learn more about your ancestry, find unknown family members, and gain insight into genetic health risks, carrier status, and wellness traits.

23andMe in-app services overview
23andMe in-app services overview

One popular use case of 23andMe is discovering new or unknown relatives. 23andMe determines relatives based on a percentage of shared DNA. For example, if you share 25% of shared DNA with someone, they could be your uncle, half-sibling, or grandparent.

23andMe can connect you to unknown DNA relations
23andMe can connect you to unknown DNA relations

Once you’ve submitted your DNA to 23andMe, you can continue to receive updates on newly discovered relatives. As more people use the service, there will be more opportunities to find connections.

FAQs


+

Can 23andMe sell your DNA?

According to the company’s privacy policy, 23andMe does not sell genetic or personal information.


+

What are the controversies with 23andMe?

Since the beginning, 23andMe has faced controversies surrounding the safety of user information. The data breach in 2023 reignited these concerns. The company also updated its terms of service, specifically the dispute resolution and arbitration section. This updated verbiage removes the right of individuals to sue 23andMe and requires users to go through mediation for disputes.


+

Is 23andMe confidential?

Yes, 23andMe is confidential. The company does not share personal information with public databases or third-party marketers. Users can also limit with whom information is shared or remove it completely.


+

Does the FBI have access to 23andMe?

The FBI does not have direct access to 23andMe. The company also states that 23andMe only shares user information with law enforcement with a court order, subpoena, or warrant.


+

What are the disadvantages of 23andMe?

While 23andMe can offer important information to its users, its accuracy is limited. Even if the information is accurate, 23andMe could highlight some unsettling information, including unknown family members or genetic markers for diseases.


+

How accurate is the 23andMe test?

23andMe offers several different types of genetic testing, each with varying levels of accuracy. The Genetic Health Risk and Carrier Status reports meet the FDA analytical and clinical validity requirements. For ancestry testing, 23andMe divides accuracy into five different thresholds: 50%, 60%, 70%, 80%, and 90%. For example, if the ancestry determination is at the 80% threshold, there is a 20% chance that it could be inaccurate.

Bottom line

23andMe provides valuable information to individuals who want more insight into their ancestry, understand possible genetic dispositions, and more. However, providing your DNA and personal information can jeopardize this critical data. Even though 23andMe experienced a data breach in 2023, the company took immediate steps to add extra layers of protection — including requiring two-factor authentication.

Based on its privacy policy and overall efforts, 23andMe appears to take data privacy and protection seriously. The company also makes it easy to remove your data from its database at any time. If you’re worried about exposing your personal information online, you can use one of the best data removal services to simplify asking companies to delete your personal information.

4.9
Editorial Rating
Learn More
On DeleteMe's website
Privacy Protection
DeleteMe
  • Removes your data from the web to avoid scams, spam and stalkers
  • 100+ million successful opt-out removals
  • Provides continued removals every three months
Author Details
Andrew Strom Adams is a freelance writer focused on online privacy and digital security. He writes on various topics to help individuals protect themselves on the internet. Andrew has worked in legal marketing, technology, and startups. He has more than 12 years of experience in marketing and communications. He holds an M.B.A. from Westminster College and a B.A. in journalism from Oklahoma Baptist University. When he’s not writing, he’s playing with his two kids or watching reality TV.