Yikes. It turns out 6.9 million 23andMe users had their data exposed to a hacker, far more than the 14,000 the company initially reported.
23andMe provided the full scope after a company stock exchange filing seemed to downplay the October incident by saying the hacker only stole usernames and password combinations from 0.1% of its total user base.
But in a statement, the DNA testing kit provider said the hacker actually accessed millions of additional user profiles. The reason: the 14,000 breached accounts provided access to other profiles by tapping an optional feature that lets you find and connect to your "DNA Relatives."
This allowed the hacker to access about 5.5 million profiles via the DNA Relatives feature, which can reveal a person’s full name, the percentage of DNA shared, ancestry reports, matching DNA segments, the user’s self-reported city/ZIP code, and birth year, among other details.
In addition, the hacker was able to access the “Family Tree” profile information to another 1.4 million users who also opted into the DNA Relatives feature. A Family Tree profile could include the user’s name, birth year, and self-reported location, if it's filled out.
“We are in the process of notifying affected customers, and have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” 23andMe’s spokesperson said.
The incident came to light after a hacker tried to sell and leak the stolen information of 7 million users on an underground forum. Following the initial investigation, 23andMe found no direct breach of the company’s systems; rather, the hacker appeared to have looted the information by using stolen passwords to break into a small subset of profiles. 23andMe’s DNA Relatives feature then allowed the hacker to scrape information from numerous additional profiles.
It’s unclear why 23andMe didn’t mention the full scope of the incident in last Friday’s stock exchange filing. A spokesperson only suggested the 14,000 breached user account figure in the stock exchange filing is different than the 6.9 million users who had their data scraped.