23andMe says hackers accessed "a significant number of files containing profile information about other users’ ancestry" in a recent data breach.
In a filing with the US Securities and Exchange Commission published Friday, the DNA testing kit provider says hackers accessed around 14,000 customer accounts, accounting for 0.1% of its total customer base, TechCrunch reports.
23andMe initially disclosed the hack in early October. At the time, a user in a hacker forum allegedly published records for 4 million 23andMe users, and a separate user in the same forum claimed to have stolen data from 7 million users on the site.
The accounts were accessed through a technique called “credential stuffing.” Essentially cybercriminals get a list of email addresses and passwords from a different website's breach and then attempt to use them on the site. (A reminder to use a different password for every site to avoid finding yourself in a similar situation.)
Beyond the initially hacked accounts, 23andMe’s hack also impacted users who used the company’s DNA Relatives feature. Users who opted into the feature allow some of their personal information to be shared with others to whom they’re connected. In this case, if one of your relatives is a victim of the hack, the hacker could potentially see your information as well, presuming you opted into the feature.
23andMe currently has more than 14 million customers worldwide. As a result of the data breach, the company required its users to reset and change their passwords, and last month the company also required users to start using two-factor authentication.