Genetic testing company 23andMe announced Friday that hackers accessed about 14,000 customer accounts in the company’s recent data breach.
In a new filing with the US Securities and Exchange Commission Published on Friday, the company said that, based on its investigation into the incident, it had determined that hackers had access to 0.1% of its customer base. According to the company’s most recent annual earnings report23andMe has “more than 14 million customers worldwide,” which means 0.1% is about 14,000.
However, the company also said that by accessing those accounts, the hackers were also able to access “a significant number of files that contained profile information about the ancestry of other users that those users chose to share when selecting the DNA Relatives feature of 23andMe.”
The company did not specify what this “significant number” of files is, nor how many of these “other users” were affected.
23andMe did not immediately respond to a request for comment, which included questions about those numbers.
In early October, 23andMe disclosed an incident in which hackers had stolen some users’ data using a common technique known as “credential stuffing,” where cybercriminals compromise a victim’s account using a known password, which may have been leaked due to data breach to another service.
The damage, however, did not stop at customers who had access to their accounts. 23andMe allows users to select a feature called DNA congeners. If a user chooses this feature, 23andMe shares some of that user’s information with others. This means that by accessing a victim’s account, hackers could also see the personal data of people connected to that original victim.
23andMe said in the filing that for the original 14,000 users, the stolen data “generally included ancestry information and, for a subset of these accounts, health-related information based on the user’s genetics.” For the other subset of users, 23andMe said only that the hackers stole “profile information” and then posted unspecified “certain information” online.
TechCrunch analyzed the published sets of stolen data by comparing them to known public genealogical records, including websites published by hobbyists and genealogists. Although the datasets were formatted differently, they contained some of the same unique user information and genetic information that matched genealogy records posted online years earlier.
The owner of a genealogy website that had some of their relatives’ information exposed in the 23andMe data breach told TechCrunch that about 5,000 relatives have been discovered through 23andMe and said “our associations may take that into account.”
Data breach news appeared online in October, when hackers advertised the alleged data of one million users of Ashkenazi Jewish descent and 100,000 Chinese users on a well-known hacking forum. About two weeks later, the same hacker who advertised the original stolen user data advertised the alleged records of four million more people. The hacker was trying to sell individual victims’ data for $1 to $10.
TechCrunch found that another hacker on a different hacking forum had advertised even more allegedly stolen user data two months before the ad was first reported by news outlets in October. In that first ad, the hacker claimed to have 300 terabytes of stolen 23andMe user data and demanded $50 million to sell the entire database, or between $1,000 and $10,000 for a subset of the data.
In response to the data breach, on October 10, 23andMe forced users to reset and change their passwords and encouraged them to enable multi-factor authentication. And on Nov. 6, the company required all users to use two-step verification, according to the new filing.
After the 23andMe breach, other DNA testing companies Ancestry and MyHeritage began enforcing two-factor authentication.
