Genetic testing company 23andMe confirmed that the personal data of 6.9 million people has been stolen by hackers.
The company initially reported in October that the hackers were able to access sensitive data through compromised passwords reused by a small number of users. The stolen data went up for sale on a hacking forum.
The stolen information includes DNA data, birthdates, self-reported location and profile pictures. A spokesperson for 23andMe had originally told the media that 14,000 accounts were initially compromised but hackers were able to gather some information from more users who were linked as DNA relatives to the initially jeopardized accounts.
Worldwide, roughly 14 million people use 23andMe. The company required all users to reset their passwords and to use two-factor authentication moving forward.
TechCrunch was the first outlet to report the actual total number of impacted users – far greater than the 0.1% of customers 23andMe had said were impacted by the security breach. A spokesperson confirmed to the publication on Dec. 4 that “about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others."
“It is also not known why 23andMe did not share these numbers in its disclosure on [Dec. 1],” reported TechCrunch.
“The compromised information, combined with personal information potentially stolen through separate attacks, can help other hackers commit forms of identity theft, like fraudulently opening credit cards or taking out loans,” reports Axios. “As proof that they stole the personal data, hackers published an initial sample of 1 million data points about users with Ashkenazi Jewish heritage, including people's full names, birth years, location information and more.”
The hackers also released the private information of at least 100,000 Chinese users and set a purchase price between $1 to $10 per account.
After the tech company first reported that users’ data had been compromised, it announced it had opened an investigation into the site’s weaknesses.
“23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law,” the company said in an updated statement on Dec. 1. “We have taken steps to further protect customer data... The company will continue to invest in protecting our systems and data.”
23andMe was founded in 2006 by Anne Wojcicki, the sister of former YouTube CEO Susan Wojcicki and the ex-wife of Google co-founder Sergey Brin. The company went public in 2021 after merging with Richard Branson’s VG Acquisition Corp. and was valued at $3.5 billion.
