Genetic testing company 23andMe announced Friday that hackers gained access to about 14,000 customer accounts in a recent company data breach.
In a new filing with the US Securities and Exchange Commission Published on Friday, the company said that based on its investigation into the incident, the hackers had access to 0.1% of its customer base. According to the company’s latest annual earnings report23andMe has “more than 14 million customers worldwide,” which means that 0.1% is about 14,000.
But the company also said that by gaining access to those accounts, the hackers also gained access to “a large number of files containing profile information about other users’ assets that those users chose to share when they signed up for 23andMe’s DNA Relatives feature.”
The company did not specify what this “large number” of files was, nor how many of these “other users” were affected.
23andMe did not immediately respond to a request for comment, which included questions about those numbers.
In early October, 23andMe revealed an incident in which hackers stole some users’ data using a common technique known as “credential stuffing,” in which cybercriminals compromise a victim’s account using a known password, possibly leaked due to a data breach on another account. service.
But the damage did not stop with the customers whose accounts were accessed. 23andMe allows users to subscribe to a feature called DNA relatives. If a user opts in to this feature, 23andMe will share some of that user’s information with others. This means that by gaining access to a victim’s account, hackers were also able to see the personal data of people associated with that initial victim.
For the first 14,000 users, the stolen data “generally included ancestry information and, for a subset of those accounts, health-related information based on the user’s genes,” 23andMe said in the filing. As for the other subset of users, 23andMe said only that the hackers stole “profile information” and then posted unspecified “certain information” online.
TechCrunch analyzed published sets of stolen data by comparing them to known public genealogy records, including websites published by hobbyists and genealogists. Although the datasets are formatted differently, they contain some of the same unique user information and genetic information that matches genealogy records published online years ago.
The owner of a genealogy website, whose some of their relatives’ information was exposed through the 23andMe data breach, told TechCrunch that they have about 5,000 relatives who were exposed through 23andMe, and said that “our relationships may take that into account.”
Data breach news appeared online In October, when hackers made public the alleged data of 1 million users of Ashkenazi Jewish origin and 100,000 Chinese users on a well-known hacking forum. Nearly two weeks later, the same hacker who announced the initial stolen user data released the purported records of an additional four million people. The hacker was trying to sell individual victims’ data for $1 to $10.
TechCrunch found that another hacker on a different hacking forum had announced more allegedly stolen user data two months before the announcement initially reported by media outlets in October. In this first ad, the hacker claimed to have 300 terabytes of stolen 23andMe user data, and asked for $50 million to sell the entire database, or between $1,000 and $10,000 for a subset of the data.
In response to the data breach, on October 10, 23andMe forced users to reset and change their passwords and encouraged them to turn on multi-factor authentication. On November 6, the company required all users to use two-step verification, according to the new filing.
After the 23andMe hack, other DNA testing companies Ancestry and MyHeritage began enforcing two-factor authentication.