23andMe has verified that hackers have taken ancestral information belonging to 6.9 million users

Last Friday, genetic testing firm 23andMe revealed that hackers had accessed personal data belonging to approximately 0.1% of its customers, roughly 14,000 individuals. These hackers were able to reach a substantial amount of profile information on other users’ ancestry through these compromised accounts. The company did not specify the scale of impact on these “other users” in its initial disclosure in early October.

However, it has now come to light that a significant number of other users were affected by this breach—totaling 6.9 million individuals. According to a statement from 23andMe’s spokesperson Katie Watson, hackers accessed the personal details of around 5.5 million people who had opted into the DNA Relatives feature, which allows data sharing among customers. The stolen information encompassed names, birth years, relationship labels, shared DNA percentages with relatives, ancestry reports, and self-reported locations.

Additionally, another group of approximately 1.4 million users who had also opted into DNA Relatives had their Family Tree profile data compromised. This included display names, relationship labels, birth years, self-reported locations, and the decision to share their information.

Interestingly, 23andMe did not reveal these specific numbers in their initial disclosure, prompting questions about the extent of the breach. With these new figures, it’s estimated that nearly half of 23andMe’s reported 14 million customers have been affected.

The breach was initially brought to light in early October when a hacker claimed to have accessed the DNA information of 23andMe users on a renowned hacking forum. Subsequently, this hacker released alleged data of specific user groups and attempted to sell this information. Another hacker on a different forum had earlier advertised a set of supposedly stolen 23andMe customer data two months before the widely publicized advertisement.

Upon analysis, it was discovered that some of the leaked data matched genetic information shared online by enthusiasts and genealogists. Despite differences in formatting, both sets contained overlapping user and generic data, indicating that the leaked data was likely authentic 23andMe customer data.

23andMe attributed the breach to customers reusing passwords, enabling hackers to use known passwords from other breaches to gain unauthorized access. The design of the DNA Relatives feature exacerbated the impact, allowing hackers to access not only the account holder’s data but also their relatives’ information upon breaching a single account.