Genetic testing company 23andMe disclosed a significant data breach, initially stating that 0.1% of its customers, approximately 14,000 individuals, had their personal data compromised. The breach also allowed hackers access to files containing profile information about other users' ancestry. However, the company did not provide details about the impact on the broader user base initially.
According to a report by techcrunch.com, in an update, 23andMe confirmed that about 5.5 million individuals who opted for the DNA Relatives feature had their personal information accessed by hackers. This includes sensitive details such as names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations. Additionally, another group of approximately 1.4 million users who opted for DNA Relatives had their Family Tree profile information compromised. This information includes display names, relationship labels, birth years, self-reported locations, and the user's decision to share their information.
The total number of affected individuals, combining both groups, amounts to 6.9 million, raising concerns about the extent of compromised genetic data. The disclosure indicates that roughly half of 23andMe's reported 14 million customers may have been impacted.
The breach, initially attributed to customers reusing passwords, allowed hackers to brute-force accounts using publicly known passwords from other data breaches. The unique nature of the DNA Relatives feature exacerbated the impact, as hackers gaining access to one individual's account could see the personal data of both the account holder and their relatives.
The company's handling of the disclosure has raised questions, particularly the delay in providing details about the broader impact on users beyond the initially reported 14,000 individuals.