Is 23andMe Safe?

If you use or plan to use 23andMe, you need to know: Is 23andMe safe? 

Below, we explain whether 23andMe is: 

• Safe to use. 
• Good for privacy. 

We also look at some steps you can take to improve both your safety and privacy when using this service. 

What Is 23andMe?

23andMe is a biotechnology company that provides direct-to-consumer genetic testing services. Its at-home genetic testing kits allow individuals to learn about their ancestry, health, traits, and genetic predispositions to certain conditions.

23andMe provides detailed reports on an individual’s ethnic background, tracing lineage and connections to various regions and populations around the world. 

It can also connect users with potential relatives who have also used the service.

The reports produced by 23andMe offer insights into how genetics might influence health. This includes information on carrier status for genetic disorders, genetic predispositions to certain health conditions, and how genetics can affect responses to various medications. The reports explore how genes might influence certain physical traits, such as eye color, hair type, and taste preferences.

23andMe also collaborates with academic and pharmaceutical research to advance scientific understanding and develop new treatments for various diseases. Users can consent to participate in research studies, contributing their genetic information anonymously to broader research efforts.

Is 23andMe Safe?

Depends on your definition of “safe.”

23andMe experienced a major security breach in 2023 that leaked the personal information of 6.9 million 23andMe users and resulted in individuals with specific ethnic backgrounds having their information sold on the dark web. 

This led to multiple class action lawsuits against 23andMe, accusing the company of failing to adequately protect user data and violating various privacy laws​, 

23andMe responded by blaming users for recycling passwords and not updating them after past breaches. It also reportedly tried to change its terms of service to prevent users from filing class action lawsuits against it. 

Privacy experts said criminals could use the sensitive information leaked to identify and blackmail individuals by threatening to reveal more sensitive data about them (for example, making previously unknown family connections public or revealing mental health issues). 

Experts also warned about sophisticated identity theft and the potential for employers to misuse leaked data to pass over someone looking for a promotion or job. 

Following the breach, 23andMe introduced two-factor authentication—something users had apparently been seeking for years—and required all customers to change their passwords.

The security company UpGuard gives 23andMe a score of 811 out of 950. 

The top concerns include the following:

• No valid Content Security Policy is implemented.
• HttpOnly cookies aren’t used.
• A valid Certification Authority Authorization record isn’t used.
• Weak encryption is in place.

Is 23andMe Private?

Considering that the 2023 breach exposed 6.9 million 23andMe users, most people would probably not consider 23andMe as very private. 

That said, according to the Electronic Frontier Foundation (EFF), 23andMe is “generally one of the better actors in this space.” 23andMe requires an individualized warrant before providing police access to data, pushes back on overboard warrants, and doesn’t give direct access to all data. 

In its privacy policy, 23andMe outlines how user data is collected, used, and shared.

Users’ genetic information is primarily used to provide personalized reports on ancestry, health, and traits. 

23andMe users have control over whether their data is shared for research purposes. 

Participation in research is voluntary, and users can opt in or out at any time. When data is used for research, it is anonymized to remove personally identifiable information. However, as we wrote in another blog post, where we talk about how to stay (a little bit) more private with 23andMe and other similar companies, studies show that anonymized data can be de-anonymized. 

In an article for The Guardian, the security and privacy activist at the Electronic Frontier Foundation Thorin Klosowski, noted that “You can ask 23andMe to stop using your information, but you can’t ask for data to be removed from a list once it’s been sold off.”

Terms of Service; Didn’t Read (ToS;DR), a project that rates internet services’ terms of service and privacy policies, gives 23andMe a “Grade D.” This means “The terms of service are very uneven or there are some important issues that need your attention.”

Tos;DR notes that 23andMe

• Collects many different types of personal information.
• May keep personal data after a deletion request.
• May use tracking pixels and similar technologies.
• Assumes user content from usage.
• Collects biometric data.

On the plus side, ToS;DR says that 23andMe provides a complaint mechanism for the handling of personal data and a way to opt out of promotional communications. 

How to Improve Your Safety and Privacy On 23andMe

Follow the steps below for a more private and secure experience on 23andMe. 

• Review the terms and conditions. Carefully read 23andMe’s privacy policy and terms of service to understand how your data will be used and shared.
• Informed consent. Pay close attention to the consent agreements, especially those related to research participation and data sharing.
• Manage privacy preferences. Adjust your account settings to control who can view your information and whether your data is shared for research purposes.
• Opt-out of research. If you prefer not to participate in research studies, you can opt out through your account settings.
• Use strong security measures. Use a strong, unique password for your 23andMe account to prevent unauthorized access. Enable two-factor authentication (2FA) for an added layer of security.
• Limit information-sharing features. Be cautious about using features that allow you to share your genetic information with family members or the public.
• Be careful with downloaded data. If you download your raw genetic data, store it securely and be mindful of where and how you share it.
• Use an alias. Consider using a pseudonym or alias instead of your real name when setting up your account.
• Use a separate email. Use a dedicated email address that doesn’t include personal identifiers for your 23andMe account.
• Review your account. Periodically review your account and privacy settings to ensure they are up to date with your preferences.
• Audit data use. Keep an eye out for notifications or updates from 23andMe regarding changes to their privacy policy or data use practices.
• Delete your data. If you decide to stop using 23andMe, request to have your account and genetic data deleted. Follow the steps outlined by 23andMe to ensure your data is completely removed from their systems.