Genetic testing company 23andMe announced on Friday that hackers accessed around 14,000 customer accounts in the company’s recent data breach.
In a new filing with the U.S. Securities and Exchange Commission published Friday, the company said that, based on its investigation into the incident, it had determined that hackers had accessed 0.1% of its customer base. According to the company’s most recent annual earnings report, 23andMe has “more than 14 million customers worldwide,” which means 0.1% is around 14,000.
But the company also said that by accessing those accounts, the hackers were also able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”
The company did not specify what that “significant number” of files is, nor how many of these “other users” were impacted.
23andMe did not immediately respond to a request for comment, which included questions on those numbers.
In early October, 23andMe disclosed an incident in which hackers had stolen some users’ data using a common technique known as “credential stuffing,” whereby cybercriminals hack into a victim’s account by using a known password, perhaps leaked due to a data breach on another service.
The damage, however, did not stop with the customers who had their accounts accessed. 23andMe allows users to opt into a feature called DNA Relatives. If a user opts-in to that feature, 23andMe shares some of that user’s information with others. That means that by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.
23andMe said in the filing that for the initial 14,000 users, the stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” For the other subset of users, 23andMe only said that the hackers stole “profile information” and then posted unspecified “certain information” online.
TechCrunch analyzed the published sets of stolen data by comparing it to known public genealogy records, including websites published by hobbyists and genealogists. Although the sets of data were formatted differently, they contained some of the same unique user and genetic information that matched genealogy records published online years earlier.
The owner of one genealogy website, for which some of their relatives’ information was exposed in 23andMe’s data breach, told TechCrunch that they have about 5,000 relatives discovered through 23andMe, and said our “correlations might take that into account.”
News of the data breach surfaced online in October when hackers advertised the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a well-known hacking forum. Roughly two weeks later, the same hacker who advertised the initial stolen user data advertised the alleged records of four million more people. The hacker was trying to sell the data of individual victims for $1 to $10.
TechCrunch found that another hacker on a different hacking forum had advertised even more allegedly stolen user data two months before the advertisement that was initially reported by news outlets in October. In that first advertisement, the hacker claimed to have 300 terabytes of stolen 23andMe user data, and asked for $50 million to sell the whole database, or between $1,000 and $10,000 for a subset of the data.
In response to the data breach, on October 10, 23andMe forced users to reset and change their passwords and encouraged them to turn on multi-factor authentication. And on November 6, the company required all users to use two-step verification, according to the new filing.
After the 23andMe breach, other DNA testing companies Ancestry and MyHeritage started mandating two-factor authentication.