By Rebecca Carballo
Hackers, using old passwords from customers of the genetic testing company 23andMe, were able to gain access to personal information from about 6.9 million profiles, which in some cases included ancestry trees, birth years and geographic locations, the company said Monday.
In October, a hacker posted a claim online that they had 23andMe users’ profile information, the company wrote in a Securities and Exchange Commission disclosure Friday.
“We have not learned of any reports of inappropriate use of the data after the leak,” a 23andMe spokesperson said Monday.
The hackers, using old passwords that 23andMe customers had used on other sites that had been compromised, were initially able to breach about 14,000 profiles — or 0.1% — of 23andMe’s users’ accounts, the company said in the SEC disclosure.
The hackers would be able to access anything available on those 14,000 profiles, including health and ancestry information, the company spokesperson said.
The breach also opened the door to millions of other profiles of customers — about half of all 23andMe customers — who wanted to use 23andMe to connect with those who had close DNA matches, she said. Users could opt in to a feature called DNA Relatives, where they could provide select information to others on 23andMe who might be a close DNA match.
The hackers gained access to information from 5.5 million DNA Relatives profiles, which includes a display name, how recently they logged into their account, percentage of DNA shared with their DNA relatives’ matches and predicted relationship with that person, according to a 23andMe statement. It also may include self-reported information like geographic location, birth year, family tree and any photos they may have uploaded.
Also, hackers were able to access the Family Tree profile information of about 1.4 million other customers participating in the DNA Relatives feature, including display names and relationship labels. Information may also include birth year and geographic location if the user chose to share that data, the company said.
23andMe is in the process of notifying all affected customers, as required by law. There is no timeline for when everyone will be notified, the spokesperson said.
The company is requiring all customers to change their existing password and set up two-step verification, according to a statement on 23andMe’s website.
The breach came as no surprise to Ramesh Srinivasan, a professor at the UCLA department of information studies, as these episodes become increasingly common. It is always possible for information to be stolen when it is provided to a third party, he said.
“Should we be providing data that is so personal and so intimate to an organization that, largely speaking, only has a strong allegiance to their investors and their boards?” he said.