A few days ago, I suggested a pause strategy while you ponder whether or not you wanted to delete your DNA file in light of the recent data exposure at 23andMe. I need to revise this with additional information today.
First and foremost, disabling DNA Relatives does NOT remove all matching. You need to remove Connections separately.
Secondarily, there’s a report at 23andMe for you to order to determine whether your account may have been individually compromised. I’ve described how to find it and use the information in the report.
This article includes several sections with important information about how these intertwined features at 23andMe work and instructions to protect yourself.
- An update on the breach situation with informational links
- Customer notifications
- Confusion regarding types of sharing – DNA Relatives vs Connections
- Explaining the difference between DNA Relatives and Connections
- Step-by-step instructions for removing Connections – disabling DNA Relatives doesn’t accomplish this or stop matching/linkage to Connections
- Who sees what, when?
- DNA Relatives and Connections comparison chart
- Account Event History – how to determine when your account was signed into, from where, what they (or you) did, and when
- Deletion instructions and caveats
Update on Breach Information
I’m not going to post anything from the hacker(s) – but please, in an abundance of caution, presume your data is now available publicly or will be when the hacker sells the balance of the accounts they have and act accordingly.
The hacker has posted millions of accounts already, and I know people who have found themselves in the “sample” download provided by the hacker to convince people that the breach and resulting data is for real. If you really want to see this for yourself, the hacker, Golem, is very active at BreachForums, under Leaks, 23andMe – but I DO NOT recommend hanging out there. I reached out to colleagues who work with security and breach monitoring services. I am not poking around myself.
This 23andMe customer information first appeared in August, not October, when a hacker by a different name on Hydra posted images of the accounts of both Sergey Brin and Anne Wojcicki, CEO of 23andMe and her former husband, CEO of Google. The hacker said that the information was obtained through an API provided by 23andMe to pharmaceutical companies. Additionally, the hacker said they had already sold all of that initial data to “an individual in Iran.” You can read about this here.
Furthermore, if what the hacker or hackers say is accurate, this situation is far more serious than a password recycling issue. I don’t want to speculate because I can’t verify, although many people have written to me to say two things:
- They were seeing leaked customer information weeks earlier
- They did use a unique password at 23andMe
Here are four additional articles that I suggest reading to understand the scope of the situation and why there’s so much uncertainty:
One of my blog readers asked why anyone would want to do this. Of course, there can be many or even multiple motivations, but based on some of the commentary, it appears that Jewish people were targeted and compiled identifying data sold to Iran who backs Hamas. If you’re a Jewish person, anyplace in the world, you have to be extremely concerned especially since this test identifies your closest relatives and (if provided) the location where you live.
Both 23andMe and Ancestry display your current location if provided and selected. I NEVER recommend doing that under any circumstances. Of course, if the hacker gained access to individual accounts as reported and you entered that information, even if you didn’t choose to share it, they have it anyway.
Please note that so far, the only notifications received by 23andMe customers say that their information was revealed through DNA relatives, meaning that at least one of their matches’ accounts was compromised. No one, to my knowledge, has received a notification that their own account has been directly compromised. Perhaps 23andMe doesn’t know whose accounts were compromised yet.
Near the end of this article, I’ll show you how to obtain a list of all the activity that has taken place on your 23andMe account so you can see if there are logins from locations not your own or other suspicious activity.
According to the original announcements from 23andMe and others, the data exposure was a result of two things:
- Direct access to accounts due to reused passwords allowing the hacker to aggregate data and sign in as the user. You can see if your email address has been found in a data breach at the site, haveibeen pwned.com. I know this list is incomplete, though, because I’ve been notified by letter by other companies not listed here.
- DNA Relatives information shows DNA matches, segments, and your matches’ potential relationships to each other along with their shared data, permitting triangulation.
The more I read about this from credible sources, combined with how 23andMe has handled this situation, the more “uncomfortable” I become.
Before 23andMe even straightened this mess out, this week, they introduced a new “Total Health” subscription for the low price of $99 PER MONTH. Seriously. Billed as one payment of $1,188 per year. To me, this smacks of a company desperate for money.
How do we even begin to place any confidence in this service, given what has already been exposed and the unanswered questions? Especially given that for weeks, 23andMe dismissively replied to customers who informed them of the issue that their systems had not been accessed in an unauthorized manner. Not to mention, this announcement is entirely tone-deaf as we struggle to deal with what has already been exposed one way or another.
In response to this, if you still want to maintain your existing account at 23andMe, I have help for you. If you want to delete it, I’ve provided instructions for that too.
Questions and Challenges
I discovered that DNA Relatives and Connections don’t work in exactly the way I believed they did, and it’s very confusing. Nothing, not one thing that 23andme has provided has addressed exactly what information has been exposed or what customers can do other than change their password and add 2FA.
- Was the breach only DNA Relatives, or was it Connections, too?
- Connections is essentially a subset of DNA Relatives plus potentially some unrelated people.
- Not everyone has DNA Relatives enabled, but if not, Connections still exposes/exposed you if your account was individually breached.
- 23andMe only mentioned DNA Relatives, so you may think you’re in the clear if you don’t have DNA Relatives enabled. That’s inaccurate if you have any Connections and your account was individually breached.
- If the hacker did sign on to your account, Connections are equally vulnerable.
- The hacker could enable DNA Relatives without your knowledge to create a more lucrative fishing environment. I’ve provided instructions for how to determine if this might have happened.
Disabling DNA Relatives is not enough.
23andMe Sharing Options Are Confusing
I knew that DNA Relatives did not unilaterally disable Connections, but I did NOT realize how much information your Connections can see.
Over the years, 23andMe has revised how their sharing works. I remember when DNA Relatives opt-in and opt-out was added in 2014. It was extremely confusing then and still is.
DNA Relatives and Connections are confusing individually and together. I could not find any feature comparison or side-by-side table for each tool, either individually, compared to each other, or with both enabled.
Because of this confusion, what we need right now is a one-button invisibility cloak that we can click to JUST STOP being visible to everyone until we reverse the invisibility cloak by opting in again – without losing anything or being penalized.
That’s what most people think happens when you stop sharing through DNA Relatives, but it’s not.
There is no invisibility cloak at 23andMe like there is at other vendors.
No Invisibility Cloak
I spent a considerable amount of time over the past few days trying to figure out the differences between DNA Relatives and Connections.
Believe it or not, that information was almost impossible to find, as it was scattered piecemeal across several places.
Let me step you through where to find it, and then compile an easy reference.
If you sign on to your account, you can see on the left-hand side that you have several selections under DNA Relatives.
Under Connections, you have the statuses of Connected, Pending, and Not Connected.
If you mouse over Connections, you see a general description.
I have two separate tests at 23andMe, and I have DNA Relatives enabled on one of the tests and disabled on the other, so I can see the differences when compared to the same people.
I have 1803 DNA Relatives, meaning matches, but the connections option told me that 348 were also Connections.
Why Do I Have 348 Connections?
Remember that 23andMe limits your matches to 1500, and the lowest matches roll off your match list without a subscription, which was only introduced in the last year or so. The subscription only allows 5,000 matches before the matches roll off your match list.
The only way to prevent matches from rolling off your list was/is to “Connect” with them, either through DNA relatives or initiating messaging. So, for years, genealogists sent a connection request to every match they had, beginning with the smallest first, in order to preserve matches that would otherwise be gone. That’s why I have 1803 matches and not just 1500 like I do on the second account where I have not established “Connections.”
Given my number of matches at the other DNA testing companies, I would likely have well over 20,000 matches, so preserving as much as possible was important to genealogists.
I switched to a different account that I manage that opted out of DNA matching a decade ago, but has more Connections than I do with many of the same people that I match.
You can view your DNA Connections by clicking on Family & Friends and then on Your Connections.
As you can see on the left, you can either share “Ancestry” with these Connections, which means typical genealogy info, or “Health + Ancestry.” Relevant to the breach, your Ancestry Composition (ethnicity) results as compared to your Connections (and DNA Relatives) are shown.
You can invite anyone to connect with you, including people on your match list or anyone else you know who has tested. In other words, your spouse or a cousin whom you DON’T MATCH.
Here’s an example of a cousin by marriage who I’ve known for years. We connected even though we don’t match and are only related by marriage.
Some Connection invitations that you receive or send are for Ancestry only, and other invitations are for BOTH Ancestry and Health.
Melissa sent me a combined request for both Ancestry and Health.
Remember that the focus of 23andMe has always been medicine, big pharma and health. Unfortunately, 23andMe PRECHECKS to accept the Health sharing option when you’ve been invited to share Health. It’s easy to miss, so UNCHECK Health if you don’t want to share YOUR HEALTH INFORMATION. The only people I’ve ever shared Health with are my immediate family members.
I wanted to know what information was different about someone you’re NOT connected with and someone you’re connected with.
One of my DNA matches, Gwen, requested a Connection. Here’s the information I can see with Gwen before her Connection request.
I verified that this information is accurate by comparing Connections requests with a family member who is opted into DNA Relatives, one who is not, and also with my research-buddy cousin who is a Connection but not a match.
Any one person can potentially be:
- A DNA Relative and not a Connection
- A Connection and not a DNA Relative
- A Connection but not participating in DNA Relatives even though they are a match
Today, the information a Connection and a DNA Relative can see since 23andMe disabled some DNA Relatives features seems identical.
Gwen’s profile card shows her name, location where she lives, and year of birth, if provided and selected for display. She obviously did not allow her birth year to be displayed, but she did allow the city/state where she lives.
23andMe estimates how I may be related to Gwen and how much DNA we share..
Gwen’s family background, which I’ve blurred. I have removed my information as I ponder whether to delete my account or not.
Ancestry Composition (ethnicity) of both people. Note that even if DNA Relatives is not enabled, either person’s account can view the shared ethnicity of both accounts.
Amounts of Neanderthal Ancestry.
How Sharing Works
23andMe discussed sharing, but differentiating between DNA Relatives and Connections is unclear.
Based on my comparison and their descriptions, I think I’ve figured out the differences. Let’s begin with their description of how sharing works.
Here, they describe part of what Connections shows.
At this point, the features of DNA Relatives that were available IN ADDITION to what could be viewed in Connections have been disabled due to the breach.
The next image is part of the Connections section, followed by DNA Relatives,
I was surprised that Shared DNA was displayed using Connections alone, before 23andMe (possibly temporarily) disabled this functionality in response to the breach. I would have presumed that if you disabled DNA Relatives, your DNA would NOT have been shown to your DNA relatives.
DNA Relatives was necessary for advanced features, including viewing relationships between your matches, meaning you and two other people, and also between your matches and each other. That means you could compare them to each other.
That feature selection is now gone as well. For the record, this graphic was out of date anyway, but now it doesn’t matter.
Connections DOES have access to the tree calculated by 23andMe but (apparently) only for people you are connected with unless you have DNA Relatives enabled. Please note that all accounts managed by one person appear to be connected to each other, although that might not be universal. I manage four kits, and all of them are shown as connections to each other.
Considerations provided by 23andMe
Here’s what they don’t say.
Disabling Your DNA Relatives Option does NOT Change Connections
This is very important considering how much information Connections can view:
- Disabling DNA Relatives does NOT disable sharing. You can disable DNA Relatives across the board with one setting, but you CANNOT do that with Connections.
- Each Connection must be deleted individually.
After you disable DNA Relatives, as I described in this article, under the heading, “Opting Out of DNA Relatives” you need to additionally remove each Connection if you genuinely don’t want to be seen by other people as a match. If you DO want to be seen as a match, then don’t disable DNA Relatives.
DNA Relatives will eliminate new matches from automatically occurring but won’t remove anyone you’ve previously added as a Connection.
To view and edit your connections, select “Your Connections” under “Family and Friends.”
For each Connection, click on the gear, then select which type of sharing to remove.
Please note that you may have to refresh the page to reload Connections, as there is no “load more” button, until you see the message, “You aren’t connected with anyone yet.”
Connections Versus DNA Relatives Chart
If you’ve had a hard time keeping this straight, me too. I created a chart that lists each feature and if it’s present in DNA Relatives, Connections, or both.
|Feature||Connections Only||DNA Relatives||Comment|
|Current Location, Year of Birth, Genetic Sex||Yes||Yes||If provided and selected for display|
|Additional info about yourself||Yes||Yes||If provided|
|Prevents Rolling Off Match List at Threshold||Yes||No||Only Connections or people you’ve initiated contact with are retained|
|Matches||Yes, only Connections||Yes|
|Non-Relatives||Can send an invitation to people you’re not biologically related to meaning not on your match list||No, only DNA matches|
|Ancestry||Yes||Yes, plus shared matches and additional information||If selected|
|Health||If selected||If selected|
|Shared DNA Percent||Yes||Yes|
|Genetic Constructed Family Tree||Connections only||Yes all||To about 4th generation shared ancestors|
|Family Background – birth places of grandparents||Yes||Yes|
|Other ancestors’ birthplace||Yes||Yes|
|External Family Tree Link||Yes||Yes||If provided|
|Ancestry Composition (ethnicity)||Yes||Yes|
|Maternal, Paternal Haplogroups||Yes||Yes||Base to mid-level|
|Matching segments||Shown in 23andMe documentation, currently disabled||Yes, currently disabled||Disabled due to breach|
|Chromosome browser||Not shown in 23andMe documentation||Yes, currently disabled||Disabled due to breach|
|Shared matches||No||Yes, currently disabled||Disabled due to breach|
|Triangulation||No||Was changed recently to be more difficult, now disabled||Disabled due to breach|
|Shared Matches compared to each other’s tests||No||Yes, currently disabled||Disabled due to breach|
|Shared Matches relationships to each other||No||Yes, currently disabled||Disabled due to breach|
|Download Matches||I don’t think so, but I can’t positively confirm||Yes, currently disabled||Disabled due to breach|
|Download Segment information||No||Yes, currently disabled||Disabled due to breach|
|Download Raw data file (Your own)||Yes||Yes|
Now that you know what can be seen and done and by whom, let’s take a look at how your account has been accessed.
Account Event History – Who Signed In To Your Account?
There’s a little-known feature at 23andMe that you can utilize to view the locations of sign-ins to your account and what was done, including changes and file download requests.
Navigate to settings.
Scroll down to “23andMe Data,” then click on View.
Scroll to profile data, click on “Account Event History,” then “Request Download.” 23andMe says it may take several days, but mine was ready the following day. You’ll receive a link to sign in and download a spreadsheet. Click on the blue “Account Event History” to download the report.
At the top, you’ll see column names. Please note that I added the Location column to record the results of the “Client IP Addr” lookup.
The “Client IP Addr” field is a record of where the login was initiated from. It’s your electronic address, or more specifically, the address of your internet provider, and it may not be the exact town where you live, but someplace close. I’ve blurred mine, but not where failed logins originated.
As you can see, on May 1, 7, and 10, someone tried to sign in with my email address. It wasn’t me or the region where I live, and I was not traveling.
I was able to track these IP addresses to cities but not to individuals, of course. One tracked to a specific Internet Service Provider in that city, but nothing more.
However, that tells me that someone tried three times to use what was probably a compromised password. Thank goodness I don’t reuse passwords.
I also need to mention that you can find legitimate differences in location. For example, if you are traveling or use tools like Genetic Affairs that sign on on your behalf from their location, the IP address will reflect connection services from those locations.
You will also see interesting IP addresses, like that 127 address. That means the host computer made the change. In essence, that means that another 23andMe user removed sharing with me. That’s clearly legitimate.
I did not see any successful sign-ins from unauthorized locations. If you see a successful sign-in from an unknown location that’s not close to your home sometime in 2022 or 2023, and you weren’t traveling, nor using a location masking tool like TOR, then please notify 23andMe immediately.
The notification email I received from 23andMe was that my information had been exposed through DNA Relatives. Based on their notification in addition to the information in my report, my personal account does not appear to be individually breached.
23andMe clearly has access to this IP address information for all users, so I’m really surprised that they have not notified anyone, at least not that I know of, that their accounts have been DIRECTLY compromised – meaning NOT through DNA Relatives. Even if someone signed on using the correct password, there could/should be some pattern of sign-ons through not-normal locations for a group of customers during this time.
Of course, if the hacker was telling the truth and the breach was NOT through password reuse (stuffing,) and was through an API, neither users nor 23andMe may see unauthorized account accesses. I hope 23andMe and the professionals they have retained are able to sniff out the difference and will update their customers soon.
Regardless, I recommend requesting and reviewing this report and implementing 2FA everyplace that you can.
Deleting Your Profile
Based on your comfort level, you may decide to delete your test at 23andMe. It’s a personal decision that everyone has to make for themselves. There is no universally right or wrong decision, and I’m not recommending either way.
Before I show how to delete your data, be aware that IF YOU MANAGE MULTIPLE PROFILES, YOU NEED TO CONTACT CUSTOMER CARE UNLESS YOU WANT TO DELETE ALL THE PROFILES.
- If you want to delete only your profile, you can transfer other profiles under your care to someone else.
- If you manage multiple profiles and click delete, all of the profiles you manage will be deleted.
To find the delete function, click on the down arrow by your initials at top right, then on Settings.
Scroll to the very bottom.
Click on “View,” then scroll to the bottom to the Delete Data section.
23andMe provides links in this section to review, so please do. This includes information about how to transfer profiles and things to consider.
If you want to download your raw DNA file to use as an upload to other vendors, be sure to do it before you delete, because it won’t be available after. You can find instructions, here.
Remember, delete is permanent, and you’ll need to pay to retest if you change your mind.
I hope this information has helped organize and explain things in a logical manner.
To recap, to become totally invisible, meaning no other tester can see you:
- Disable DNA Relatives
- Delete Connections individually and selectively
If you delete connections and those matches are lower than your 1,500th match, they will roll off your match list unless you have a subscription, and then it’s 5,000.
- Request your Account Event History and review for anomalies.
- For security purposes, change your password to one you have not used elsewhere, if you have not already, and enable 2FA.
I hope that 23andMe has or will take care of whatever issues they have, post haste, and will be transparent about what actually happened. I also hope they will find a way to re-enable the tools that have been disabled. That functionality is critically important to genealogists, and without those tools and the lack of trees, there’s little reason for genealogists to test at 23andMe.
We can’t change what has already happened. Each one of us has to decide whether we want our test to remain at 23andMe and, if so, what steps we want to take to move forward successfully.
I hope this information helps you decide how to handle the situation and perhaps relieve some anxiety. Now you know how to check your activity report, understand who sees what in DNA Relatives and Connections, associated options, what needs to be done, and how to take appropriate action.
You probably have observed and will continue to see other vendors implementing additional security measures, such as required 2FA, precautions against account scraping, and not accepting uploads from 23andMe in case the hacker downloaded DNA files.
These revisions may be temporary or permanent, or some of each. I’m grateful for each vendor taking steps to protect our information from unauthorized access. I’ll write more after things settle down and we better understand the new landscape.
Follow DNAexplain on Facebook, here.
Share the Love!
You’re always welcome to forward articles or links to friends and share on social media.
If you haven’t already subscribed (it’s free,) you can receive an email whenever I publish by clicking the “follow” button on the main blog page, here.
You Can Help Keep This Blog Free
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Uploads
- FamilyTreeDNA – Y, mitochondrial and autosomal DNA testing
- MyHeritage DNA – Autosomal DNA test
- MyHeritage FREE DNA file upload – Upload your DNA file from other vendors free
- AncestryDNA – Autosomal DNA test
- AncestryDNA Plus Traits
Genealogy Products and Services
- MyHeritage FREE Tree Builder – Genealogy software for your computer
- MyHeritage Subscription with Free Trial
- Legacy Family Tree Webinars – Genealogy and DNA classes, subscription-based, some free
- Legacy Family Tree Software – Genealogy software for your computer
- Newspapers.com – Search newspapers for your ancestors
- NewspaperArchive – Search different newspapers for your ancestors
- DNA for Native American Genealogy – by Roberta Estes, for those ordering the e-book from anyplace, or paperback within the United States
- DNA for Native American Genealogy – for those ordering the paperback outside the US
- com – Lots of wonderful genealogy research books
- American Ancestors – Wonderful selection of genealogy books
- Legacy Tree Genealogists – Professional genealogy research