23andMe Hack Exposes Sensitive Data for Nearly 7 Million Users

A data breach has left nearly 7 million 23andMe customers’ sensitive information exposed. According to a recent report (via TMZ), the data exposed in the breach include ancestry reports, zip codes, family member information, DNA information, and birth years. The company indicates that around 5.5 million profiles using the company’s DNA Relatives feature which allows users to find genetic relatives were impacted while a subset of family tree information for 1.4 DNA Relatives profiles were also accessed.

The hacker or hackers apparently used a technique called “credential stuffing” in which they reused old usernames and passwords from other websites to break into the 23andMe accounts. DNA Relatives user accounts were then targeted as that program reportedly loosens a user’s privacy restrictions.

“23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law,” a statement posted to the company’s website read. “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers.”

The nearly 7 million impacted user number is an updated number. Last Friday, a filing from 23andMe to the Securities and Exchange Commission had previously indicated that only about 0.1 percent of their accounts — approximately 14,000 — had been breached.

What Is 23andMe?

23andMe is a biotechnology company based in San Francisco, California that analyzes, compiles user-submitted DNA to generate reports about the customer’s ancestry and genetic predispositions to health conditions. Per the company’s website, “We’re not just a genetics company. We’re not just a health company; we’re not just ancestry; we’re all of these things. We want to tell you about you.”

What Is 23andMe Doing About the Breach?

According to The Verge, 23andMe is still in the process of notifying users who have been impacted by the breach. The company is also alerting users to reset passwords and has begun to require two-step verification for both new and existing users. That feature was previously optional.