Hackers stole personal data belonging to 6.9 million people who used services from the genetic testing company 23andMe in October, a company spokesperson confirmed to Axios on Monday.
The personal data, including ancestry reports, some DNA data, birthdates, self-reported location and profile pictures, went up for sale on a popular hacking forum following the breach, according to TechCrunch, which first reported the number of users affected.
The compromised information, combined with personal information potentially stolen through separate attacks, can help other hackers commit forms of identity theft, like fraudulently opening credit cards or taking out loans.
As proof that they stole the personal data, hackers published an initial sample of 1 million data points about users with Ashkenazi Jewish heritage, including people’s full names, birth years, location information and more.
They also reportedly published a separate sample with information about more than 300,000 users with Chinese heritage.
A 23andMe spokesperson said the company believes hackers were able to gain access to the data through a small number of customers reusing passwords that were compromised through separate breaches on other websites.
- Initially, fewer than 14,000 23andMe accounts were compromised through a credential-stuffing attack, the spokesperson said.
- However, because those accounts were linked to the user’s DNA relatives, the hackers were able to access the personal data of a large portion of the company’s customers.
- The 6.9 million people represent almost half of the company’s over 14 million customers worldwide.
- In response to the breach, 23andMe required all users to reset their passwords and will now require customers to protect their accounts with two-factor authentication, a security measure requiring users to sign in using both a password and another device.
The company first disclosed the data leak in early October.
Last week, it said hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals and “a significant number of files containing profile information about other users’ ancestry,” according to TechCrunch. It’s unclear why 23andMe did not share the total number of affected users in last week’s disclosure.
The spokesperson said the company began encouraging customers to protect their accounts with a multi-factor authentication system in 2019, but never required them to until recently.
“We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said.
Considering how personal data is linked between multiple accounts, it’s unclear why the company did not require two-factor authentication protection before the breach.
The spokesperson did not say whether the company ever anticipated that a subset of users with poor cybersecurity practices could put millions of other users’ personal data at risk.