All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
23andMe can be a powerful tool for discovering your lineage or finding an unknown, long-lost sibling. However, in exchange for this information, you must provide significant personal information, including your DNA.
In October 2023, the ancestry company reported a data breach that jeopardized millions of accounts. The 23andMe data breach is unique because only 14,000 accounts were breached, but by accessing those accounts, the threat actor accessed 5.5 million DNA Relatives profiles and 1.4 million Family Tree feature profiles. Both the DNA Relatives and Family Tree feature profiles give access to personal information to family members found on the 23andMe platform.
Whether you’re a current 23andMe user or are considering using the platform, you should understand how the 2023 data breach and future data breaches may affect you. Equally important is learning how to remove your personal information from 23andMe or other platforms through one of the best data removal services.
Before sending in your sample, let’s answer, “Does 23andMe keep my data safe?”
Removes your data from the web to avoid scams, spam and stalkers
100+ million successful opt-out removals
Provides continued removals every three months
Following a data breach, companies need to notify customers whose information may have been compromised and find solutions to help protect users in the future. After the 2023 data breach, 23andMe improved its systems to help keep user data safe. One improvement the company made requires all new and existing customers to enable two-factor authentication.
23andMe outlines how it protects your data through a robust privacy page. On its privacy page, 23andMe says it does not share genetic data with third-party marketers, insurance companies, or employers without consent. The company has also received three separate ISO certifications based on audits by independent third-party companies. 23andMe attained those certifications in 2019 and 2020.
As part of its data policy, 23andMe also makes it easy for users to download personal data, remove their accounts, or have their DNA samples discarded.
It can be hard to decipher a company’s privacy policy and understand its meaning. That’s not the case with 23andMe. The company does a good job explaining its privacy policy in several different ways to make it easier to understand.
/images/2024/04/26/23andme_privacy_choices_1.png)
When you provide a DNA sample to 23andMe, you can opt-in to certain aspects of the service. Users can decide whether they want to be involved in DNA Relatives and other connections, whether they want their DNA sample stored or destroyed, and whether they want to participate in ongoing research.
23andMe uses personal information to provide the services users purchase, set up and maintain user accounts, and develop new products and features.
When it comes to sharing your information, 23andMe does not share user data with public databases, insurance companies, employers, or law enforcement without a court order, subpoena, or search warrant.
Data breaches aren’t uncommon in the digital age and can happen to any company. In the case of 23andMe’s October 2023 breach, the data was exposed through credential stuffing. Bad actors used previously exposed login information for around 14,000 23andMe customers.
Credential stuffing gave the bad actors access to a small subset of 23andMe customers. Credential stuffing refers to using previously exposed credentials to access other websites. (Pro tip: Using a random password generator can help protect against credential stuffing.)
Once the exposed accounts were breached, all of this information became available to them, jeopardizing 5.5 million additional accounts. The data breach also exposed 1.4 million accounts that were connected to the compromised accounts through 23andMe’s Family Tree feature.
/images/2024/04/26/23andme_family_tree_feature_1.png)
Companies in the United States are required to notify those affected following a data breach. After 23andMe discovered the breach, the company took action to protect the compromised accounts.
Initially, 23andMe required all compromised accounts to reset passwords and required them to enable multi-factor authentication. Shortly after, 23andMe also temporarily disabled features inside the DNA Relatives tool.
/images/2024/04/26/23andme_disabled_some_dna_relatives_features_1.png)
After completing its investigation into the breach, 23andMe required that all users update their passwords and began requiring two-step verification for all accounts. 23andMe users can easily update their privacy and sharing settings inside their accounts.
/images/2024/04/26/23andme_in-app_privacy_and_sharing_settings_1.png)
If you’re concerned about your personal information being available online, a simple way to mitigate the risk is through a data removal service. A data removal service can make requesting that your information be removed from company databases easier. Here are a few of the best data removal services available.
23andMe is a genetic testing service that uses a saliva sample to determine your DNA. After sending in your sample, you can learn more about your ancestry, find unknown family members, and gain insight into genetic health risks, carrier status, and wellness traits.
/images/2024/04/26/23andme_services_overview.png)
One popular use case of 23andMe is discovering new or unknown relatives. 23andMe determines relatives based on a percentage of shared DNA. For example, if you share 25% of shared DNA with someone, they could be your uncle, half-sibling, or grandparent.
/images/2024/04/26/23andme_can_connect_you_to_unknown_dna_relations.png)
Once you’ve submitted your DNA to 23andMe, you can continue to receive updates on newly discovered relatives. As more people use the service, there will be more opportunities to find connections.
According to the company’s privacy policy, 23andMe does not sell genetic or personal information.
Since the beginning, 23andMe has faced controversies surrounding the safety of user information. The data breach in 2023 reignited these concerns. The company also updated its terms of service, specifically the dispute resolution and arbitration section. This updated verbiage removes the right of individuals to sue 23andMe and requires users to go through mediation for disputes.
Yes, 23andMe is confidential. The company does not share personal information with public databases or third-party marketers. Users can also limit with whom information is shared or remove it completely.
The FBI does not have direct access to 23andMe. The company also states that 23andMe only shares user information with law enforcement with a court order, subpoena, or warrant.
While 23andMe can offer important information to its users, its accuracy is limited. Even if the information is accurate, 23andMe could highlight some unsettling information, including unknown family members or genetic markers for diseases.
23andMe offers several different types of genetic testing, each with varying levels of accuracy. The Genetic Health Risk and Carrier Status reports meet the FDA analytical and clinical validity requirements. For ancestry testing, 23andMe divides accuracy into five different thresholds: 50%, 60%, 70%, 80%, and 90%. For example, if the ancestry determination is at the 80% threshold, there is a 20% chance that it could be inaccurate.
23andMe provides valuable information to individuals who want more insight into their ancestry, understand possible genetic dispositions, and more. However, providing your DNA and personal information can jeopardize this critical data. Even though 23andMe experienced a data breach in 2023, the company took immediate steps to add extra layers of protection — including requiring two-factor authentication.
Based on its privacy policy and overall efforts, 23andMe appears to take data privacy and protection seriously. The company also makes it easy to remove your data from its database at any time. If you’re worried about exposing your personal information online, you can use one of the best data removal services to simplify asking companies to delete your personal information.
Removes your data from the web to avoid scams, spam and stalkers
100+ million successful opt-out removals
Provides continued removals every three months
/images/2023/01/06/compromised_ssn_dark_web.jpg)
/images/2023/06/01/incogni-review.png)
/images/2024/11/14/norton_privacy_monitor_review.png)
/images/2024/10/31/magnifying_glass_highlighting_digital_profile.png)
/images/2024/10/24/onerep_review..png)
/images/2024/10/24/a_close-up_of_a_hand_holding_a_smartphone_displaying_a_digital_shield__2eLNAOe.png)
/images/2024/10/21/skull_of_death_on_smartphone_screen._hacked_mobile_phone_on_laptop_computer.png)
/authors/andrew-adams-allaboutcookies-author.jpg){kind=small}
/authors/kate_quinlan_headshot_april_2024.png){kind=small}
/images/2023/10/11/logo-deleteme-700px.png){kind=logo}
/authors/andrew-adams-allaboutcookies-author.jpg)