23andMe confirmed that a recent breach leaked data belonging to 6.9 million users. In an emailed statement to The Verge, company spokesperson Andy Kill says the breach affected around 5.5 million users who had DNA Relatives enabled, a feature that matches users with similar genetic makeups, while an additional 1.4 million people had their family tree profiles accessed.
In a filing with the Securities and Exchange Commission (SEC) and update to its blog post late on December 1st, 23andMe said a threat actor using a credential stuffing attack — logging in with account info obtained in other security breaches, usually due to password reuse — directly accessed 0.1 percent of user accounts, making up around 14,000 users. With access to those accounts, the attackers used the DNA Relatives feature, which matches people with other members they may share ancestry with, to access the additional information from millions of other profiles.
Its Friday statement noted the hacker also accessed “a significant number of files” via the Relatives feature but didn’t include the figure stated above.
Kill tells The Verge, “We still do not have any indication that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.” This statement is at odds with the fact that information from 6.9 million users is now in the hands of attackers. The overwhelming majority of those people are affected because they opted into a feature provided by 23andMe, which failed to prevent the breach by either limiting access to the information or requiring additional account security.
The first public signs of trouble appeared in October when 23andMe confirmed user information was up for sale on the dark web. The genetic testing site later said it was investigating a hacker’s claims that they leaked 4 million genetic profiles from people in Great Britain and “the wealthiest people living in the U.S. and Western Europe.”
The 5.5 million DNA Relatives profiles leaked included users who weren’t a part of the initial credential stuffing attack. The data revealed includes things like display names, predicted relationships with others, the amount of DNA users share with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more.
The remaining 1.4 million users who also participated in the DNA Relatives feature had their family tree profiles accessed. This feature similarly includes display names, relationship labels, birth year, and self-reported locations. It doesn’t include the percentage of DNA shared with potential relatives on the site or matching DNA segments.
23andMe says it’s still in the process of notifying users affected by the breach. It has also started warning users to reset their passwords and now requires two-step verification for new and existing users, which previously was optional.