Genetic testing company 23andMe on Monday confirmed that nearly 7 million people have been affected by a security breach that took place in early October.
A spokesperson for the company said hackers accessed the personal information of people who had enrolled in the company’s DNA Relatives feature, which allows customers to automatically share a portion of their data users that may be distantly related.
The information in the hackers’ hand included the person’s name, self-reported ZIM code, birth year and family member names, and relationship labels, among other information.
The spokesperson said the hackers initially gained access to about 0.1% of 23andMe customers’ accounts through reused passwords, a hacking tactic known as credential stuffing. They then looked for users who had enrolled in the DNA Relatives programs and, through those tactics, managed to see the profile information of about 6.9 million DNA Relatives users, nearly half of the roughly 14 million people who have opted into the program.
The statement comes after the company said last week that hackers accessed 14,000 customer accounts, or 0.1% of customers, in the October data breach. 23andMe added that the threat actors also gained access to “a significant number of files containing profile information about other users’ ancestry” but didn’t reveal the number until this week.
News of the data breach first surfaced online in October. Hackers claimed they stole the data of 1 million users of Jewish Ashkenazi descent and 100,000 Chinese users on the well-known hacking forum, BreachForums. The threat actor who claimed to have obtained this data later started offering this information for between $1 and $10 per account, with a lower price for buyers who are willing to buy in bulk.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” 23andMe said at the time. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”