Data from nearly 7 million 23andMe users has been compromised in a recent data breach, impacting almost half of the platform’s total user base.
The popular DNA testing company, known for helping users explore their genetic heritage and connect with relatives, faced scrutiny in October when hackers targeted individuals with Ashkenazi Jewish and Chinese ancestry. Although initially avoiding the term “data breach,” 23andMe conducted an investigation to safeguard user information.
Now, the company confirms that hackers have successfully accessed data from almost half of its 14 million users, exposing a wide range of personal information. Two main groups of users were affected, totaling 5.5 million and 1.4 million individuals, respectively.
The first group opted into 23andMe’s DNA Relatives feature, while the second group included those who not only chose the DNA Relatives feature but also had their Family Tree profile information compromised.
The DNA Relatives feature, designed to facilitate connections between relatives, exposes highly sensitive personal details such as self-reported location, names, birth years, relationship labels, ancestry reports, and the percentage of DNA shared with relatives.
With this breach, all this information, also accessible in the Family Tree, is no longer secure within the 23andMe system. The breach occurred due to weak or non-unique passwords, a vulnerability exploited by hackers who employed passwords from previous breaches.
Users opting for the Relatives feature typically had lighter security measures, making it easier for hackers to access their accounts and pilfer personal information. Once one user’s account was breached, hackers could easily extend their reach to the user’s relatives, expanding the scope of data theft.
In response to the incident, 23andMe has concluded its investigation and will notify affected users. The company is instituting mandatory two-step verification for all users, new and existing, to bolster security. Additionally, customers are required to change their passwords to ensure the confidentiality of their information.