The 23andMe breach confirmed by the company in October affected about half of the genetic testing company's 14 million users, TechCrunch reports. The company first acknowledged Friday, in an SEC filing, that hackers were able to access the personal data of 0.1% of its customers, which would be about 14,000 people, and that the hackers were also able to access "a significant number of files containing profile information about other users' ancestry." A company spokesperson later acknowledged to TechCrunch that, because of 23andMe's DNA Relatives feature, an additional 6.9 records were able to be accessed. The records of some users have been put up for sale on the dark web.
As NBC News reports, DNA Relatives allows users who opt in to see user information (including ancestry, DNA information, ZIP code, birth year, and family member names) about other 23andMe customers to whom they may be distantly related. The company says the aforementioned information, along with customer names, relationship labels, location, ancestry reports and other DNA-related information, for 5.5 million users was accessed; another 1.4 million people who opted in to DNA Relatives had their Family Tree profile information (which includes display names, relationship labels, birth year, and location) accessed.
A different 23andMe spokesperson tells the Verge, "We still do not have any indication that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks," which, the Verge notes, "is at odds with the fact that information from 6.9 million users is now in the hands of attackers." The initial records were accessed via "credential stuffing," in which hackers use usernames and passwords that were already compromised in breaches of other sites in order to force logins at 23andMe for users who reused those same credentials. At that point, the Verge notes that 23andMe's systems failed to prevent the records of other users from being accessed via DNA Relatives—a failure the site may be attempting to address by now requiring two-step verification, which used to be optional. (More 23andMe stories.)