The personal information of 6.9 million individuals who utilized the genetic testing company 23andMe’s services in October was compromised by hackers, a company spokesperson verified to Axios on Monday.

The breach resulted in the public sale of personal information, including self-reported locations, profile photographs, ancestry reports, and portions of DNA data, as reported by TechCrunch, which initially documented the number of affected users.

In conjunction with personal data that may have been pilfered in separate attacks, the compromised data can facilitate identity theft by other hackers, including the fraudulent establishment of credit cards and the acquisition of loans.

READ MORE: Experts Say We Might Not Have Enough Data To Teach AI By 2026

The hackers disclosed an initial sample of one million data points pertaining to users of Ashkenazi Jewish heritage, which comprised various personally identifiable information such as birth years, complete names, and geographical locations, as evidence of the theft.

Reportedly, they also released an additional sample containing data on over 300,000 users of Chinese descent.

READ MORE: First-Party Data Holds The Key To The Future Of Consumer Experience

A spokesperson for 23andMe stated that the organization suspects that a limited number of customers who reused passwords compromised in distinct breaches on other websites allowed hackers access to the data.

The spokesperson stated that initially, fewer than 14,000 23andMe accounts were compromised via a credential-stuffing attack.

However, due to the fact that those accounts were associated with the users’ DNA relatives, the hackers gained access to the private information of a significant number of the organization’s clients.

The 6.9 million individuals constitute nearly half of the organization’s more than 14 million clients across the globe.

READ MORE: Although CTV Ad Targeting Is Becoming More Avanced, Data Quality Is Not

As a consequence of the security compromise, 23andMe implemented a policy mandating that all users reset their passwords. Furthermore, customers are now expected to safeguard their accounts with two-factor authentication, which entails logging in with a password and an additional device.

The organization initially revealed the breach of data in early October.

It disclosed last week that hackers gained access to the personal information of approximately 14,000 users, or 0.1% of the customer base, as well as “a significant number of files containing profile information about other users’ ancestry,” as reported by TechCrunch.

The reason behind 23andMe’s omission of the total number of affected users in its disclosure last week remains unknown.

The spokesperson stated that the organization started advising clients to implement multi-factor authentication on their accounts in 2019, but it was not mandatory until recently.

“We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” according to a spokesperson.
Given the interconnection of personal information across numerous accounts, the rationale behind the company’s decision to not mandate two-factor authentication prior to the breach remains ambiguous.

The spokesperson refrained from specifying whether the organization had foreseen that a subset of users employing inadequate cybersecurity measures could jeopardize the personal information of millions of other users.


Radiant and America Nu, offering to elevate your entertainment game! Movies, TV series, exclusive interviews, music, and more—download now on various devices, including iPhones, Androids, smart TVs, Apple TV, Fire Stick, and more.