23andMe bankruptcy: How to delete your data and stay safe from the 2023 breach

The genetic testing company 23andMe filed for bankruptcy on Sunday, announcing that, in searching for financial stability through its sale to a new owner, the business will continue operating as normal, including in how customer data is handled.

“The company intends to continue operating its business in the ordinary course throughout the sale process,” 23andMe wrote in a news statement. “There are no changes to the way the company stores, manages, or protects customer data.”

For some customers, that’s exactly the problem.

In 2023, not only did the company suffer a major data breach, it also placed some of the blame on the victims who, according to 23andMe, “negligently recycled and failed to update their passwords.”  With concerns now swirling about exactly who will become the new steward of 23andMe’s data following its bankruptcy, customers are asking how they can secure their most private genetic information, if at all.

Here are two big steps that 23andMe customers can take right now:

1. Request that the company delete your data.
2. Discover whether your data was included in the 2023 breach.

These are two, separate actions that will not impact one another and should be both taken for separate reasons—the first, to ask that the company remove your data from its possession; the second, to know how to protect yourself if your data was leaked in the past.

What is happening?

Over the weekend, 23andMe announced that it would file for bankruptcy after months of financial decline. Though the company was valued at a reported $6 billion in 2021, its genetic testing business—in which customers can have their saliva tested for insights into their genealogy and potential health risks—has faltered. Just last week, the company was reportedly valued at $50 million.

To save the company and its operations, 23andMe’s leadership is now on the hunt for a new owner (and that new owner’s cash infusion). One potential bidder has already made their intent abundantly clear: Former CEO Anne Wojcicki, who resigned the same day that the company announced its bankruptcy.

“I have resigned as CEO of the company so I can be in the best position to pursue the company as an independent bidder,” Wojcicki wrote on LinkedIn.

Wojcicki faces an uphill battle, though—her earlier proposal to take the company private was rejected last year.

Whoever becomes the new owner of 23andMe, however, could also become the new owner of 23andMe customer data. According to the company’s own privacy statement:

“If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.”

That has worried some experts who have pointed out that a new owner could, for instance, hand over customer data to insurance companies to hike up monthly premiums, or to data brokers to power increasingly invasive, targeted advertising.

How to delete your 23andMe data

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (onto a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

How to find your 23andMe data in the 2023 breach

In 2023, 23andMe suffered a data breach that impacted up to seven million people. Found being sold on the dark web, the data reportedly included “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”

With the data, cybercriminals could learn about a person’s genealogy and potentially use some of the information to aid them in committing identity fraud.

There is no meaningful way to remove this data from the dark web. Instead, we recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the 2023 breach, and then to take additional steps to protect yourself.

If your data was exposed in the 23andMe breach, here is what you can do:

• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.