The 23andMe data breach has raised significant concerns about the privacy and security of genetic information for millions of users in the UK and beyond. If you’ve used this service, here’s the latest information on the breach, with an update on issues surrounding 23andMe’s data handling policies. 

What happened with the 23andMe data breach? 

Earlier this year, 23andMe, a well-known genetic testing company, reported a security breach that compromised millions of customers worldwide. Hackers accessed personal data, including names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports and locations. For UK users, this breach has affected millions, and the extent of the data exposure remains a major concern. 

According to reports, cybercriminals used a credential-stuffing attack – where previously stolen username and password combinations from other sites are reused – to access accounts. Once inside, hackers exploited the platform’s ‘DNA Relatives’ feature to get their hands on even more sensitive information. This incident has left many users feeling vulnerable, particularly given the nature of 23andMe’s work. 

23andMe’s controversial data retention policies 

In a worrying update, 23andMe’s data retention practices have come under scrutiny. A recent blog warned, even if you decide to delete your account, the company may still retain your genetic information. This is particularly troubling for those affected by the breach who might want to limit further risk by closing their accounts.  

According to 23andMe’s policies, closing an account does not guarantee the removal of genetic data if it has been shared as part of research or other agreements. In other words, even if you delete your account, your sensitive genetic data could still be stored and used, raising questions about user privacy and consent. These policies present a major barrier to protecting genetic privacy. 

How this affects you and what you can do 

If you are one of the millions of UK customers affected by the breach, you must take steps to protect your identity and data. While you can’t reset your genetic data like a password, there are other proactive measures you can take: 

• Update your passwords: Make sure your 23andMe account password is unique and not used for any other accounts. Change any similar passwords on other platforms to reduce the risk of further credential-stuffing attacks. 

• Enable two-factor authentication (2FA): Adding 2FA to your accounts can provide an additional layer of security, making it more difficult for hackers to gain access. 

• Monitor your accounts for suspicious activity: Keep a close eye on any notifications or unusual activity related to your genetic profile and other accounts linked to your email address. 

• Review and adjust your privacy settings: Take the time to go through 23andMe’s privacy settings. If you’re concerned about your genetic data being used in research, contact its support team to understand what options you have for limiting data usage. 

• Delete your 23andMe account: If you decide you no longer want to share your personal data with 23andMe, you can delete your account. Although, as discussed, some of your genetic data may be retained. You can find out how to close your account here.  

What are your legal options? 

If your data was involved in the 23andMe breach, you could join a 23andMe data breach claim. Affected individuals can seek compensation for any financial or emotional harm caused by the breach. 

At Join the Claim, we help victims connect with legal experts and take action. If you’ve been affected by the 23andMe breach, check your eligibility.