Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

23andMe Data Hack Raises Question: Is DNA Testing Secure?

Before tracing family roots and sharing your data, look at these concerns


spinner image a laptop showing a family tree online
filo/Getty

If you’re putting together a family tree, curious about your ethnic roots or uncovering potential inherited diseases, submitting DNA samples can help you discover more about yourself.

By 2020, more than 30 million people globally had “started a DNA journey,” Ancestry’s then-chief executive, Margo Georgiadis, revealed in a blog post. Yet for all the possible rewards, is the journey safe?

spinner image Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine. Find out how much you could save in a year with a membership. Learn more.

Join Now

For starters, make sure you’re ready for what you may learn. Families have discovered surprises that may be unpleasant, such as a living or deceased sibling Mom or Dad never mentioned.

Moreover, spitting saliva into a tube or even volunteering ancestral details to fill in gaps about your family’s past and present without surrendering any DNA carries inherent risks, some privacy advocates say.

Con artists look for vulnerabilities in websites

The point was driven home in October when a hacker leaked user data stolen from genetic testing company 23andMe onto an online forum. At that time, 23andMe said the criminal had been able to access just 0.1 percent of accounts — fewer than 14,000 — where usernames and passwords were the same as those on other compromised websites.

But two months later, the company disclosed that the hacker had accessed the profile data of 6.9 million users, roughly half the 23andMe customer base.

Leaked profile data appeared to target Ashkenazi Jews and people of Chinese descent. It contained display names, how recently the users had logged in to their accounts, predicted relationships and the percentage of DNA shared with close matches.

In some instances, it also included birth year, location, links to family trees, profile pictures and other photos. Data apparently was culled from an optional DNA Relatives feature that may help users identify genetic relatives by comparing autosomal chromosomes, the name for humans’ 22 pairs of chromosomes other than the one that determines a person’s biological sex. 

As part of its investigation, 23andMe — Israeli internet analytics company Similarweb says that as of Nov. 1 it was the fifth-most-visited ancestry and genealogy site worldwide — disabled and subsequently brought back some DNA Relatives features. Customers were instructed to reset their passwords, and 23andMe now requires all users to employ two-factor authentication to prove they are who they say they are.

Other companies’ data is exposed

23andMe is not the only security rupture to muddy in-home DNA testing.

In 2018. MyHeritage, the third-most-visited ancestry site in the U.S., revealed that email addresses and one-way “hashed” passwords of more than 92 million people who used the DNA and genealogy service had been breached. As part of a site’s security features, you often see your own passwords being displayed as a string of six or eight hash marks # or asterisks * when you type your information, no matter how long, on a login screen. 

MyHeritage claimed no accounts were compromised, since the hackers didn’t have the actual user passwords. The crooks also would need to have access to each customer’s unique hash key to unscramble the data.

In 2023. The Federal Trade Commission (FTC) reached a settlement with 1Health.io, formerly Vitagene, a San Francisco company that sold DNA health test kits to consumers. The agency had charged Vitagene with changing its privacy policy retroactively without notifying or obtaining consent from customers whose data the company had already collected.

The FTC also claimed that Vitagene deceived consumers about their ability to delete their own data. Over a two-year period, the agency said, it warned the company at least three times about storing unencrypted genetic, health and other personal information in publicly accessible data “buckets.” Vitagene has since discontinued its product line.

What are the risks of hacked databases?

Amassing information, not copying DNA. When a person’s exposed data is combined with other known or discovered data, the peril increases. And no one knows how the emergence of artificial intelligence might play a role.

Technology & Wireless

Consumer Cellular

5% off monthly fees and 30% off accessories

See more Technology & Wireless offers >

“There is a very real risk of impersonation using personal information stolen from the DNA/genealogy service, as there is with any data breach. But an identity criminal is not going to be able to replicate your DNA,” says James E. Lee, chief operating officer at the Identity Theft Resource Center in San Diego, which educates consumers on the risks of identity theft.

More convincing scams. With the risk of misusing your DNA extremely low, Lee says, “the most likely use of generative AI at the time is to craft a really believable phishing lure that could trick someone into sharing family or other personal information.”

More privacy breaches. Jennifer King, privacy and data policy fellow at the Stanford University Institute for Human-Centered Artificial Intelligence in California, worries about what could happen to user data in the long run if, say, a genetics company were to go belly-up or be sold to another enterprise that doesn’t provide the same protections.

Suzanne Bernstein, law fellow at the Electronic Privacy Information Center (EPIC) in Washington, shares the concern, especially in the absence of federal privacy laws.

“There’s plenty of reasons to do direct-to-consumer genetic testing, and it’s certainly not all bad,” Bernstein says.

No federal protections. But people need to be aware that federal Health Insurance Portability and Accountability Act (HIPAA) privacy safeguards don’t cover these companies, she says. The onus to protect health and other personal information shouldn’t fall on the consumer.

“The burden should be on these companies to implement strong privacy and data security standards,” she says.

The companies offer a mixed bag. A 2021 Consumer Reports investigation revealed that while direct-to-consumer genetic testing companies generally do a relatively decent job of protecting your DNA data, many “over-collect personal information about you and overshare some of your data with third parties.”

How much are you willing to reveal to the public?

Copies can live on. Ancestry customers have the option to create public or private family trees. People who are living are visible only to the tree owner and anyone the tree owner invites to see. If you upload files to a public tree that you later make private or delete, those files may continue to exist on family trees of people who saved them to their trees while your tree was public.

If you share a tree with a relative, you can let the relative contribute to or edit your tree or merely let the person read it without editing privileges. If you are working with cousins, say, and give them the ability to make changes to your tree, you also can decide whether or not they can see other people on the tree who are still alive.

For extreme privacy, Ancestry lets you create an unindexed tree that won’t show up in search results.

spinner image AARP Membership Card

Join AARP today for $16 per year. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine. Find out how much you could save in a year with a membership. Learn more.

Publicity can help your research. Since building out a family tree typically involves detective work, the more you share, the more you may discover. It’s a balancing act.

“You don’t know who inherited the family Bible that has that information you need [or has] a picture of your second great-grandmother that you’ve never seen before,” says Jennifer Utley, a corporate genealogist at Ancestry.

Is your family cool with this?

King recommends asking your kids, grandkids or other relatives if they want to get involved or are OK with you adding them to a family tree. Not everyone will be.

“You have to understand that when you do this, it is not just about you,” King says. “It is also about everyone you’re related to. I think there’s the potential risk to individuals who are either of some high status or net worth, and/or the people who are associated or related to them.”

Can law enforcement access the DNA?

It depends. Company policies vary on what DNA may be shared with law enforcement.

For its part, 23andMe says, “Unless required to do so by law, we will not release a customer’s individual-level personal information to a law enforcement agency without asking for and receiving that customer’s explicit consent.”

spinner image colorful strands of d n a
Flashvector/Getty

Ancestry’s stance is similar: “DNA data is particularly sensitive, so we insist on a court order or search warrant as the minimum level of due process before we will review our ability to comply with a request. We also seek to put our customers’ privacy first, so we also will try to minimize the scope or even invalidate the warrant before complying.”

The two companies issue transparency reports that list such law enforcement requests. They don’t happen often, but different rules may apply when you spread the data around.

Site gives clues to a murderer. GEDmatch is an online site where you can upload and compare DNA results across several testing sites, including Ancestry, FamilyTree DNA, Living DNA, MyHeritage, tellmeGen and 23andMe. That way, you may find ancestors and genetic matches from a site you have no direct relationship with.

If you’re worried about privacy, you can use an alias and anonymous email address at GEDmatch. But if you opt in, which the company recommends, GEDmatch says law enforcement may use your DNA “to identify perpetrators of violent crimes.”

Sacramento, California–area investigators used GEDmatch to unmask the Golden State Killer in 2018 by studying third cousins. Two years later, Joseph James DeAngelo pleaded guilty to 13 murders and 13 rape-related charges and was sentenced to life in prison without parole. GEDmatch says it began its opt-in policy in May 2019, so all its users now can choose whether to share their information with law enforcement.

“The more information that is gathered and the more widely that it is shared, it’s very hard to control downstream use of that information,” Bernstein says. “And all of this is hard for a consumer to meaningfully control.”

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?