23andMe, the world’s leading consumer DNA harvesting enterprise, announced Friday that hackers stole about 14,000 people’s ancestry information, as well as “a significant number of files” about other users. It turns out the word “significant” is doing a lot of work in that sentence. According to TechCrunch, 23andMe lost data about 6.9 million users, including people’s genetic information.
In case you don’t have a calculator handy, that’s almost 50,000% higher than the number 23andMe first reported.
In an email, a 23andMe spokesperson confirmed that hackers stole data from about 5.5 million users who opted-in to the company’s “DNA Relatives” feature, including the person’s name, birth year, relationship labels, the percentage of DNA users shared with relatives, ancestry reports, and location. An additional 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed.”
The spokesperson said the stolen data may also include ancestry reports and matching DNA segments (specifically where on their chromosomes they and their relatives had matching DNA), ancestor birth locations and family names, profile pictures, and anything users included in the “unveil yourself” section of their profiles.
That means 23andMe lost control of data belonging to about half of its 14 million users, not just the 0.1% it specifically called out in a filing with the Securities and Exchange Commission. The SEC did not immediately answer to a ask for comment.
According to the spokesperson, the discrepancy is related to who had their data accessed directly. “Based on our investigation, we have determined that the threat actor was able to access a very small percentage (0.1%) of user accounts (about 14,000),” the spokesperson said. But participating in the DNA Relatives feature lets you see data about other users, too. In other words, the 14,000 breached accounts unlocked information about exponentially more people.
DNA Relatives is just one of many data-sharing features the platform pushed on users when they signed up for a 23andMe account.
The 23andMe spokesperson said the hack was a credential-stuffing attack, meaning the hackers broke into individual accounts with leaked usernames and passwords that people had reused when they signed up for 23andMe. Recycling passwords does mean you’re asking for it, unfortunately, but major online platforms often have security measures in place to impede mass credential stuffing.
“Of note, we do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said.
23andMe said it forced all of its users to change their passwords in the weeks following the attack. Sadly, you’ll have a much harder time changing your DNA, which is one of many reasons why you might want to reconsider sharing genetic material with a private company.