NEW YORK – A data breach at 23andMe in October has affected a total of 6.9 million user profiles, the company disclosed on Monday.
In a regulatory filing last Friday, the consumer genetic testing company said its investigation found that 0.1 percent, or about 14,000 user accounts, were initially accessed by a threat actor using login credentials that had been obtained from other websites. The owners of those 23andMe accounts had apparently used the same usernames and passwords elsewhere.
The information the unauthorized user was able to get in this way "generally included" ancestry information, as well as, for a subset of customers, health-related information based on genetics, according to the firm.
However, in addition, 23andMe confirmed this week that the threat actor was able to obtain ancestry information from 6.9 million other users who were connected to the initially accessed accounts through the firm's DNA Relatives feature. Of those, 5.5 million had their DNA Relatives profile files accessed and 1.4 million their Family Tree profile information, a subset of their DNA Relatives profile.
According to the company, the Family Tree profile includes a user's display name and relationship labels and may contain birth year and location if provided. The DNA Relatives profile, in addition, may include percentage DNA shared with matches, ancestry reports, matching DNA segments on specific chromosomes, ancestor birth locations and family names, a profile picture, links to a family tree, and other information the user may have included.
A spokesperson for 23andMe said in an email on Tuesday that the company is taking additional steps to protect its customer data, such as requiring all customers to reset their passwords and to use two-step verification to log in.