The 23andMe customer data compromise has reverberated throughout the technology industry, not limited to DNA testing.
The 23andMe compromise has provided the impetus for reflection and security and policy reviews at each DNA testing vendor.
That’s a good thing.
What has been and remains challenging is keeping track of which features have been disabled and are no longer available at each vendor as the vendors, including 23andMe, attempt to right themselves from this blow. Unfortunately, or maybe fortunately, we can’t just return to “business as usual.”
Some of these feature removals may only be paused, and a few have already returned. Some may never be resumed.
We don’t really know yet.
If you’re having trouble keeping track, welcome to the club.
The features that have been disabled are features that were exploited at 23andMe or could have been exploited by bad actors who signed on “as you,” exposing not only your data but that of your matches in one way or another.
To be very clear, there was no data leak or compromise at any other vendor, but some other vendors provide(d) similar features for their customers. Every vendor offering DNA testing to genealogists had to stop, pause, and reevaluate their security measures. That’s exactly what they should have done. Genetic genealogy is a team sport where compromising one person’s account exposes at least some information about thousands more individuals.
Every company has proceeded somewhat differently based on how their features work.
I’ve compiled a chart listing the four primary vendors alphabetically, with affected features.
The Scorecard
In this chart, “Not available” means the feature was available before the 23andMe incident but is not currently available.
| Feature | 23andMe | Ancestry | FamilyTreeDNA | MyHeritage |
| Two-factor Authentication (2FA)[1] | Required | Required | Will be required for project administrators and available for all users[2] | Will be required soon. |
| Forced Password Reset | Yes | No | May be required for project administrators. | Yes |
| Match information download[3] | Not available | Never was available | Not available until after 2FA implementation | Not available |
| Matching segment download[4] | Not available | Never was available | Not available until after 2FA implementation | Not available |
| Shared matches[5] | Not available | Available[6] | Available | Available |
| Shared matches who match each other | Not available | Never was available | Available thru Matrix, but not segments | Partially available through triangulation |
| Shared matches match segments | Not available | Never was available | Never was available | Never was available |
| Shared matches relationship to each other | Not available | Never was available | Never was available | Predicted available |
| Triangulation | Not available | Never was available | Available[7] | Available |
| Chromosome Browser | Not available | Never was available | Available | Available |
| Daily matching or browse rate limited[8] | No | No | No | Yes |
| Shared ethnicity with matches[9] | Not available | Available | Available by opt-in | Not available |
| Filter matches by ethnicity | Never was available | Never was available | Never was available | Not available
|
| Accepts 23andMe DNA file uploads | Not applicable | Never was available | Paused | Not restricted but not available because 23andMe does not currently allow the download of your raw data file |
Other features remain unchanged, so they are not mentioned.
I think I accounted for everything that has changed, including some features already resumed at MyHeritage.
23andMe has not stated if or when they will return any of the functionality that has been removed.
FamilyTreeDNA plans to return their paused features after 2FA has been implemented in early 2024.
Please note that this information may change at any time.
_____________________________________________________________
Follow DNAexplain on Facebook, here.
Share the Love!
You’re always welcome to forward articles or links to friends and share on social media.
If you haven’t already subscribed (it’s free,) you can receive an email whenever I publish by clicking the “follow” button on the main blog page, here.
You Can Help Keep This Blog Free
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase your price but helps me keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Uploads
- FamilyTreeDNA – Y, mitochondrial and autosomal DNA testing
- MyHeritage DNA – Autosomal DNA test
- MyHeritage FREE DNA file upload – Upload your DNA file from other vendors free
- AncestryDNA – Autosomal DNA test
- AncestryDNA Plus Traits
- 23andMe Ancestry – Autosomal DNA only, no Health
- 23andMe Ancestry Plus Health
Genealogy Products and Services
- MyHeritage FREE Tree Builder – Genealogy software for your computer
- MyHeritage Subscription with Free Trial
- Legacy Family Tree Webinars – Genealogy and DNA classes, subscription-based, some free
- Legacy Family Tree Software – Genealogy software for your computer
- Newspapers.com – Search newspapers for your ancestors
- NewspaperArchive – Search different newspapers for your ancestors
My Book
- DNA for Native American Genealogy – by Roberta Estes, for those ordering the e-book from anyplace, or paperback within the United States
- DNA for Native American Genealogy – for those ordering the paperback outside the US
Genealogy Books
- Genealogical.com – Lots of wonderful genealogy research books
- American Ancestors – Wonderful selection of genealogy books
Genealogy Research
- Legacy Tree Genealogists – Professional genealogy research
[1] There has been a great deal of gnashing of teeth surrounding 2FA and how it’s implemented at each vendor. If you experience issues, please contact the vendor in question.
[2] At FamilyTreeDNA, testers utilize a kit number as their username, not their name or email. No place is the kit number publicly associated with the user’s name. In the 23andMe breach, the user’s email and passwords had been exposed in earlier breaches, so the hacker simply tried the same username and password at 23andMe, with great success. That scenario cannot occur at FamilyTreeDNA because the username is not their email address, which is why 2FA is not required for users. Administrators can select their username, so they will be required to utilize 2FA soon.
[3] This means information about your DNA matches other than your matching segments, such as email address, maternal or paternal matches, notes, surnames, and other relevant information.
[4] Matching segment information for each match. Used for triangulation, ancestor identification, and at DNAPainter.
[5] Shared matches between you and another match.
[6] Ancestry has recently announced that they will require a membership to view several features available with a DNA test, including Common Ancestors (ThruLines), Notes, Trees, Groups, and filtering matches by unviewed status. These features will not be available to DNA testers without an Ancestry subscription.
[7] Available if maternal/paternal matching is enabled. When matching, each individual who matches the tester and other testers and is bucketed on the same maternal/paternal side will triangulate on at least one segment.
[8] This is to prevent data scraping if a bad actor gains access to your account.
[9] The 23andMe data was reported to have focused on both Jewish and Chinese customers
Thank you for all this information. I do like the two factor authentication.
I use it every where it is offered.
Rosemary
Thanks, Roberta. I can’t say I like it but I’m learning to deal with the two-factor authentication and do appreciate why it’s necessary.
Lou
Thanks. Very helpful
Thanks – it’s a good, detailed summary.
I have one comment – 23andme have had rate-limiting for at least a year – the dreaded error 429. It is just hard to detect at the moment because you can’t do anything useful.
I suspect the reason rate-limiting was implemented by 23 and MyH was related to evening out the server load across genuine users rather than bad actors.
Thank you, Roberta, so much for taking the time to sort this out, putting it all together in such a useful chart, and sharing it with us in a more easily digestible format !!!
I sure hope that there is intention to see the return of the DNA tools needed for genetic genealogy.
Your help and influence is MUCH appreciated.
For MH at first the number of dna matches I could look at was limited. Then it completely shut down. The message was you used up your number of reviews today and come back tomorrow. I got this message after some weeks of not accessing. And the next day same message. And next day same. I then learned that 2fa would solve this problem but it required a cell phone. After some time they added 2fa using an email address. I did not push the activity but it certainly eliminated the time outs.
on MH you can go to your match list and then click on a match. If you scroll down you can see the chromosome browser and the segments you share with that match. You can download this data in an excel spreadsheet for the two of you.
If you then click on a shared match that you triangulate with. You can see the chromosome browser and see the segments that you share the match and their shared match and the triangulation box. You can also download this information on you and these two matches to a spreadsheet. Chr# start stop.
I know it is not as convenient as downloading a full file for everyone and the segments they share but you can still work individually with their matches.
You have this
Shared matches relationship to each other
I think this is a feature that was only available at 23andme, if I understand what you are trying to say. This is when you can compare a match to another match without you.
There is something though that I would mention. That is when you are looking at the shared match list. So for a shared match it will show how you are related to this shared match and then also how the match is related to the shared match. Ancestry does not provide this. The other companies do.
one possible victim of the dna hacking is geneanet. They offered to upload raw dna from many companies and offered dna matching and you could download a match list. I liked geneanet because the chromosome browser showed weighted and non-weighted segments for timber for ancestry accounts in different colors.
Geneanet said the addition for the dna upload and features did not meet expectations and the discontinued that service and feature from their website. I just wonder if they decided to take on this problem with dna security. Geneanet was purchased by ancestry which does not offer a chromosome browser because of their concern for privacy.
LivingDNA lets you see the chromosome browser of all your matches. You can click on copy and then paste the segment data for the one match you are reviewing. You also can see the shared matches of a match and the relationship of the shared match to you and to the match.
I have had 2FA from FTDNA from day one, a decade and a half ago: a user ID and password. So for me it has ALWAYS been there. Their update seems to me to be to the same kind of 2FA as the other companies.
Thank you so much for the comparison table. Really helps.
Very concise helpful summary and thanks. I have noticed something recently at Ancestry regarding the Thrulines review of potential matching family files to your tree. At the top of the column where there used to be listed numbers dna matches with family trees listed for most or many of my reviews, there are now none? That is not the way it used to be. Do you know if ancestry has changed anything or am I just filling in my thrulines so well (lol) that they don’t show any more.
I think there’s an issue and you need to contact Ancestry. I still have the statement at the top that says “ThruLines® uses Ancestry® trees to suggest that you may be related to 90 DNA matches through Margaret Herrell” and if I switch to list view, I can see each match. If I click on that match, I can see their tree. I do seem to remember a display at the right hand side of the page with all the tree links listed, and if that’s what you’re talking about, I don’t see that either.
Thanks for your reply. My post wasn’t real clear so let me try again. When I open my ThruLines for an individual ancestor and click on the first prospective descendant not yet in my tree (the one with the dashed line green outlined box), then a pop;up sidebar shows to the right with three levels of data in a long rectangular dropdown. The name of the prospective descendant is at top then 1)Relationship Records, 2)Trees linked to DNA Matches and 3)Ancestor Member Trees. I have noted that contrary to earlier pre=bad actor days, I no longer have listed in the circular dna matches green icon any numbers of dna linked trees except zero. I know this not to be true in certain examples as I am already linked to dna matches within some of these very trees? Maybe I have done such a good job of filling in my ThruLines that I have caught most of them (hardly) but I no longer see the linked dna numbers when they should be available. I do not have a problem with printing out the thrulines I have already compiled thru recent generations of dna testers that match me and that part of the summary page as you described in your reply seems to be fine. Not wanting to take up a lot of your time with this as you say it is most likely an Ancestry issue but with the recent troubling threats and changes to dna family tree services I thought I should mention it in case others have noted a similar phenomenon?
Unlike some reports I have heard, ThruLines still seems to work for me otherwise. I used to use the green dotted circular numbers to help me choose the best tree that had dna linkages and data concordant with my tree is why I ask. Hope this makes more sense.
Since the 23andMe break-in and email 2FA login, I’ve been concerned that people are still trying to break in, because 2 separate times I tried to login in and I had to pick a new password because of multiple failed login attempts. That would have been using my email credential, of course. That is quite concerning. I hope they catch those jerks and do some petard hoisting.
Yes, and now who knows how many people are trying the same thing.