Privacy and Security Check Up with 23andMe:
23andMe recognizes the importance of keeping your Personal Information safe and private. While our team regularly reviews and improves the 23andMe privacy and security practices, you also play a key role in keeping your data secure! This Privacy and Security Check Up highlights strategies commonly utilized by bad actors so you can stay aware and protect your data.
Contact privacy@23andme.com if you notice anything out of the ordinary with your account or if you discover any suspicious activity. |
Phishing or Suspicious Emails, Calls or Texts Claiming to be from 23andMe
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker (masquerading as a trusted entity) tricks a user into opening an email attachment, clicking on a link or providing sensitive information. For example, if you receive an unexpected email or text (SMS) requesting your 23andMe username and password, then you are probably being phished. 23andMe will never ask for your account password. Below are some tips to identify and handle a suspicious email, phone call, or text and keep your data safe.
How do I know if an email, call or text is actually from 23andMe?
Even if a message appears to come from a trusted organization or person, never click on a link or provide your data if the email, call or text seems suspicious or is unexpected. If the text or email links to a URL that you do not recognize, then do not tap or click it without verifying who the sender is. If you do click on a link, then do not enter any personal information or download anything on the website that it opened. As a reminder, 23andMe employees will not ask you for personal information unless you reach out first. If you did not reach out to us, the best thing to do is ignore the message or hang up the phone.
Secure ways our team may contact you | Ways our team will not contact you |
Emails from our domain @23andme.com | Via email domains that are not @23andme.com, such as @23nme.com, @gmail.com or @outlook.com |
Physical mail (upon initial request via email only or to fulfill shipping orders) | Unsolicited physical mail |
Telephone (after initial email correspondence) | Unsolicited telephone calls or SMS text message |
What kind of information do phishers want?
- Username and passwords
- Social Security Numbers
- Credit or debit card numbers
- Bank account numbers
- Birth date
- PINs (“Personal Identification Numbers”)
- Health Plan ID numbers
What does a phishing attempt look like?
- Unsolicited emails that contain attachments or mismatched links
- Contains misspellings and bad grammar
- Generic salutations such as “Dear valued customer”
- Scare tactics or unusual sense of urgency requiring you to take action immediately
- Sender’s identity is unknown and not verified by someone you trust
- Email comes from a suspicious domain (i.e. gmail.com or outlook.com), but claiming to be related to 23andMe. Be wary of emails that seem suspicious and appear to be from donotreply@23andme.com. Phishing attempts may use look-alike domain names that closely resemble ours - e.g. donotreply@23anbme.com
- Prompts that result in downloading software to your device
- Unexpected phone calls or text messaging that asks you to reveal personal information or imposes a sense of urgency
What Should I do if I Received a Suspicious Call, Email or Text?
Phishers cannot get information from you unless you give it to them, so do not click on any links in the messages or reply to them with personal information.
If you received a phishing phone call, here are some tips to stay alert:
- Check that the caller is using a phone number associated with the company they are claiming to call from.
- If you are not able to associate the phone number with the company or verify the caller, hang up immediately.
When you get an email that looks suspicious, here are a few things to check for:
- Check that the email address and the sender name match.
- Check the message headers to make sure the "from" header is not showing an incorrect name (i.e. donotreply@23nMe.com).
- Hover over any links or URLs with your mouse before you click on them in your browser. A description of the link will appear in a small dialog box around your mouse arrow or at the lower corner of your browser. If the URL or link does not match the description of the link, it might be leading you to a phishing site.
- Review a preview of the link if you are using your mobile device (Android, iOS, etc.). A small box that contains a preview of the link along with other prompts (i.e. Open, Open in New Tab, Copy) will appear if you press down on the link and hold for an extended period of time. If you do not feel comfortable reviewing the safety of a link on a mobile device, we recommend to proceed by using a desktop or laptop browser.
If you received a phishing email, then you may take the following actions:
- Forward the email to stop-scam@23andme.com - please note, we will not respond to your email except to provide a confirmation that we received it.
- Report the phishing email to your email provider.
- Delete the phishing email.
If you received phishing text messages, then you may follow the steps below. Please note, SMS fees may apply.
For iPhone, iPad, iPod Touch:
- Tap and hold the message that you want to forward.
- Tap More and then the Forward arrow.
- Enter stop-scam@23andme.com.
- Tap Send.
- Delete the message.
For Android:
- Tap and hold the message that you want to forward.
- Tap More and then Forward.
- Enter stop-scam@23andme.com.
- Tap Send.
- Delete the message.
What Should I do if I Clicked a Link or Provided My Data?
If you provided login information, change your 23andMe password immediately to a new one that is strong and unique to 23andMe. Also, update your login credentials on any other websites where you use the same email/username and password combination. Remember, you should avoid using the same password for multiple accounts.
If you provided payment or bank information, immediately contact your financial institution.
If you provided your driver’s license, Social Security Number, or similar identification information, then you may want to take the following steps to protect yourself:
- Credit & Account Alerts: Consider putting a fraud alert on your credit files and accounts. Such alerts last for 90 days and they let potential creditors know to take extra steps to verify your identity when a credit application is processed. Such alerts will also inform you of changes to your credit score.
- Credit Freeze: You can place a credit freeze on your account with the three credit reporting agencies: Equifax, Transunion and Experian. The freeze stays in place until you request it be removed. For more information about credit freezes, please review the Federal Trade Commission (“FTC”) Credit Freeze FAQs.
- Credit Monitoring: You may want to explore additional credit monitoring solutions to monitor your accounts and credit for fraudulent activity.
Should I Report A Phishing Attack to Anyone Else?
After taking the steps to protect yourself, you also have the option to file additional reports and complaints with the appropriate authorities:
- Internet Crime Complaint Center (“IC3”) (www.ic3.gov): You may file a complaint with the IC3 if you believe you have been the victim of an Internet crime or if you want to file on behalf of another person you believe has been such a victim.
- Federal Trade Commission (“FTC”) (http://www.ftc.gov/ftc/contact.shtm): You can file a complaint to the FTC if you would like to report any deceptive or unfair business practices. You may also report any suspicious phone calls or text messages to the FTC.
- International Consumer Protection and Enforcement Network (“ICPEN”) (http://www.econsumer.gov): Complaints against companies outside of the United States are handled by ICPEN. Your complaints help consumer protection agencies around the world spot trends and work together to prevent international scams. You can find more internationally based fraud protection resources on their website.
- Internal Revenue Service (“IRS”) (https://www.irs.gov/): Report all unsolicited email claiming to be from the IRS or an IRS-related function to phishing@irs.gov. If you've experienced any monetary losses due to an IRS-related incident, please report it to the Treasury Inspector General Administration (TIGTA) and file a complaint with the Federal Trade Commission (FTC) through their Complaint Assistant to make the information available to investigators.
How Can I Keep My Data and 23andMe Account Secure?
We work hard to keep our customers’ Personal Information safe because we believe everyone deserves a private, secure place to learn more about themselves and their genetics. But the work does not stop there - your actions are just as important to keep your account and other data secure! Below are some steps you can take to secure your account and other data.
General Tips
- Enable 2-Step Verification for your 23andMe account for an extra layer of security. Instead of relying on a password only, two-factor authentication introduces a second check to help make sure that you, and only you, can access your 23andMe account.
- To login into your 23andMe account, always navigate directly to the 23andMe website (www.23andme.com) or the 23andMe application.
- Keep your browser and operating system updated with the most current versions and patches. Patches are important because they are often released to address particular security threats.
- Scan your devices regularly for viruses, spyware, and adware.
- Select third-party applications you allow to connect to your 23andMe account with care. We suggest you review third-party applications that have access to your account from time to time in your Account Settings under Privacy/Sharing. You can then scroll down to the Connected Apps section for further review.
- Avoid using names or other identifying numbers (social security, birth date, phone number) for your unique email password and 23andMe password - check out some more recommendations in the Password Tips section!
- Use 2-Step Verification for your email account, if possible.
- Use secure and trusted devices to sign in your account.
- Always log out of your email account or 23andMe account after a session.
- Be cautious about giving away your email address.
- Don’t click on links in emails or open attachments from unknown senders.
Password Tips
Create a strong and unique password for your 23andMe account, and an equally strong, unique password for your email address associated with your 23andMe account.
- Do's:
- Do use a different password for every service you use.
- Do create a password at least 8 characters long.
- Generic salutations such as “Dear valued customer”
- Do use a mix of uppercase, lowercase, numbers, and symbols for your password to make it more complex and difficult to guess.
- Do keep your password in a safe place, like a separate password manager service to securely store your passwords.
- Don'ts:
- Do not use passwords with repetition, common dictionary words, usernames, pronouns, IDs, and other easy to guess sequences.
- Do not use any personal information in your password (e.g., phone numbers, birthdays, pet names, etc.) as those can be easily found online via social media.
- Do not allow browsers or mobile devices to remember your password.
- Do not reuse passwords across websites. Your 23andMe account password should be unique to 23andMe.
Browser Security Tips
- Keep both your browser and operating system updated.
- Be cautious of browser extensions, and only install extensions from trusted sources. Some malicious browser extensions may capture your passwords and credit card details, redirect your search traffic to unwanted sites, and even track everything you do online.
Alerts and Warnings
- You will receive 23andMe email address update alerts any time the email address associated with your 23andMe account is changed. We will send an email notification to the previously-used email address on your account. If you unexpectedly receive an alert, this may mean an unauthorized party accessed your account. The alerts will help you take the first steps to regain control of your account.
- You may use trusted third party services, such as Google’s Password Checkup extension or www.haveibeenpwned.com to check if your password and/or username/email address is compromised. Such services compare passwords and/or usernames/email addresses you are using against databases of known compromised credentials.
- Generic salutations such as “Dear valued customer”
- If you get a pop-up that one of your passwords have been compromised, it may be a notification from one of your browser service providers or your operating system. For example, when you type your credentials into a website, Chrome and iOS will now warn you if your username and password have been compromised in a data breach on some site or app. It will suggest that you change them everywhere they were used.