23andMe Discloses Startling Data Breach To SEC Impacting 6.9M User Profiles

hero Sample Tubes copy 1 1024x640
Popular genetic testing company 23andMe has revealed the possible true impact of its recent October data breach. Contrary to an SEC (Securities and Exchange Commission) filing on Friday by the company, the breach is now said to affect 6.9 million individuals worldwide.

On Friday, 23andMe stated that only a small subset of its customers (0.1 percent or 14,000 users) were compromised by the data breach that occurred two months ago. The SEC disclosure reports that the hackers used old passwords that 23andMe customers had also used on other sites that were then compromised (that's why you need to use unique passwords for each account you have, folks). With the hacked accounts, things like ancestry and health information would be privy to the highest bidder. 

23andmeSets
23andMe test kits

In the SEC document, 23andMe states that the breach also included information from "other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online". What that means is that the breach also involves millions of other 23andMe users who use the service to connect with close DNA matches, called DNA Relatives. It turns out that through DNA Relatives profiles, the hackers were able to access data from 5.5 million users, which includes uploaded photos, geographic location, birth year, and family tree.

Moreover, the hackers gained access to Family Tree information of 1.4 million DNA Relatives users. Data such as display name, account activity, DNA match percentages and relationship with the matching person, geographic location, and birth year were likely compromised.

These numbers are oddly missing from the SEC filing, but the company is "providing notification to users impacted by the incident as required by applicable law." Customers will be requested to update their existing passwords and set up two-factor authentication. There's no offer of free credit report service to affected accounts, so it seem like 23andMe believes none of the stolen information is any fault on its part.