On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 people. The company also said that by accessing these accounts, the hackers were also able to access “a significant number of files that contained profile information about the origins of other users.” But 23andMe won’t say how many “other users” were affected by the breach the company first disclosed in early October.
As it turns out, there were a lot of “other users” who fell victim to this data breach: 6.9 million people affected in total.
In an email sent to TechCrunch late Saturday, 23andMe spokeswoman Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who participated in 23andMe’s DNA Relatives feature, which allows customers to share automatically share some of their data with others. The stolen data included the person’s name, year of birth, relationship tags, percentage of DNA shared with relatives, parentage references and self-reported location.
23andMe also confirmed that another group of about 1.4 million people who participated in DNA Relatives “also had access to their Family Tree profile information,” which includes display names, relationship tags, year of birth, self-reported location, and if the user decided to share their information, the spokesman said. (23andMe declared part of its email “in the background,” which requires both parties to agree to the terms in advance. TechCrunch is printing the response because we weren’t given a chance to reject the terms.)
It’s also not known why 23andMe didn’t share those numbers in its disclosure Friday.
Given the new numbers, in fact, the data breach is known to affect about half of 23andMe’s total reported 14 million customers.
In early October, a hacker claimed to have stolen the DNA information of 23andMe users in a post on a well-known hacking forum. As evidence of the breach, the hacker released the purported data of one million users of Ashkenazi Jewish descent and 100,000 Chinese users, asking would-be buyers for $1 to $10 for the data per individual account. Two weeks later, the same hacker advertised the alleged files of another four million people on the same hacking forum.
TechCrunch found that another hacker on a separate hacking forum had already advertised a batch of allegedly stolen 23andMe customer data two months before the widely reported ad.
Contact us
Do you have more information about the 23andMe incident? We would love to hear from you. Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
When we analyzed the leaked data months ago, TechCrunch found that some files matched genetic data posted online by hobbyists and genealogists. The two sets of information were formatted differently, but contained some of the same unique user and generic data, suggesting that the data leaked by the hacker was at least partially authentic 23andMe customer data.
In revealing the incident in October23andMe said the data breach was caused by customers reusing passwords, which allowed hackers to forcefully force victims’ accounts using publicly known passwords released in other companies’ data breaches.
Because of the way DNA Relatives matches users with their relatives, by hacking into a single account, hackers were able to see the personal data of both the account owner and their relatives, which swelled the total number of 23 and Me victims.
Read more at TechCrunch:
