DNA Ancestry Site 23andMe Cyberattack Impacts 6.9M Users

A cyberattack that targeted the DNA ancestry site 23andMe has been found to have impacted millions of additional people to the 14,000 initially announced.

In SEC filings, 23andMe said hackers accessed the personal data of 0.1% of its 14 million customers on Oct. 1, amounting to 14,000 individuals, in instances where “usernames and passwords…on the 23andMe website were the same as those used on other websites that had been previously compromised.” 

It has now been discovered that the hackers were able to use the data to access information for a total of 6.9 million users.

In the filing, submitted Oct. 10, the company said the hackers were able to access “ancestry information, and…health-related information based upon the user’s genetics.” 

“The threat actor also accessed a significant number of files containing profile information about other users’ ancestry,” the statement continued. “We are working to remove this information from the public domain. 

“As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.”

However, a company spokesperson said using data from the original breach, the threat actor was then able to access around 5.5 million users who had DNA Relatives enabled, a feature that allows data sharing between users. 

Related:MGM Attack Drives Cybersecurity to Top of Mind

An additional 1.4 million people also had their family tree profiles accessed, meaning each account provides links to their relatives connected on the app.

The company has stressed that the breach did not come from its systems.

“We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said.  

In response, the company has requested all customers reset their passwords and established a two-step verification process for all new and existing customers. 

An updated statement on the company’s website noted the hacker accessed “a significant number of files” via the Relatives feature but didn’t include exact figures.

In its SEC filing, the company said it expects to see between $1 million and $2 million in “one-time expenses,” including technology consulting services, legal fees and expenses of other third-party advisors due to the attack.