Millions of people who use the ancestry site 23andMe may have been affected by a major data breach that happened recently.
The company revealed through an SEC filing that hackers compromised roughly 14,000 accounts of the 14 million customers it has — or 0.1% of its total customer base.
The big concern, though, comes from what the company revealed next. The hackers were also able to exploit what 23andMe calls its DNAR, or DNA Relatives, feature. When users opt-in to this feature, it matches them to other genetic relatives who use the service.
A spokesperson for 23andMe told media outlets that the hackers were able to gain access to about 5.5 million DNAR profiles in that fashion, plus the Family Tree information from another 1.4 million people.
23andMe says hackers stole ancestry data on 6.9M users, about half of its customers, via a breach first disclosed in Oct., by leveraging access to ~14K accounts (@lorenzofb / TechCrunch)https://t.co/PPxpn0RjSX
— Techmeme (@Techmeme) December 4, 2023
Some of the information that’s included in those profiles includes sensitive data such as locations, display names, and even how much DNA percentage they share with other potential relatives. The profiles for the Family Tree function also include information that users may have added to their accounts, such as their birth year.
The data breach was revealed back in October, at which time 23andMe said they “found that no genetic testing results have been leaked.”
However, the SEC filing said that the compromised information may have included “health-related information based upon the user’s genetics.”
23andMe suggested that all users who were affected by the breach should update their passwords immediately. In addition, the company initiated two-factor authentication to give extra security protection for all users.
Last Friday, the company said its investigation into the incident is now complete, and everyone who was affected by it will be notified directly. It’s also working to try to get the user information that was posted publicly online taken down.
23andMe also wrote in the SEC filing that it “believes that the threat actor activity is contained.”
Officials in states across the country have pressed 23andMe for months now to reveal more details about the breach so they can work to help their residents who were affected.
In late October, for instance, William Tong, the attorney general of Connecticut, wanted more details, particularly because the sensitive records of people with Chinese heritage and Ashkenazi Jewish people were exposed.
Officials such as Tong have been concerned about the potential that people could use the information to target some users for hate crimes and harassment.