DNA testing company 23andMe said data from 6.9 million users was leaked in a recent hack. The incident affected 5.5 million users with active DNA Relatives (matching people with similar DNA) and 1.4 million users with family tree profiles.
The company disclosed information about the incident opinion US Securities and Exchange Commission (SEC) as well Official blog. According to 23andMe, the attackers gained access to information using the data substitution method: people often use the same logins and passwords for different services, so compromising data in one opens access to others. This allowed hackers to log into 0.1% (14,000) of the accounts in the company’s system. They then used the DNA relatedness feature, which matches the DNA of likely relatives, and obtained additional information from several million other profiles.
The first information about the incident emerged in October, when 23andMe confirmed that its users’ data was being offered for sale on the dark web. The company subsequently said it was investigating reports of the publication of 4 million genetic profiles of people in the UK, as well as “the richest people living in the US and Western Europe”. The leaked database of 5.5 million DNA Relatives users included their displayed names in the system, likely connections to other people, the number of users with DNA matches, ancestry information, user-supplied locations, ancestral birthplaces, last names, and profile pictures and much more. . An additional 1.4 million users had access to family tree profiles from which their display names, family relationships, birth years and locations provided by those users were stolen. However, there was no level of DNA match in the second database.
23andMe said it is continuing to notify users affected by the leak. The company began warning customers about the need to change passwords and force the adoption of two-factor authentication, which was previously optional.