23andMe confirms hackers stole ancestry data of 6.9 million users

Last month, we covered the story of 23andMe after hackers leaked 4 million more of its user records, including records of the “wealthiest people living in the US and Western Europe.” As we reported back then, 23andMe confirmed the incident but denied the data breach story.

Fast forward three weeks later, a 23andMe spokesperson confirmed over the weekend that hackers indeed stole the ancestry data of 6.9 million people who used its services, according to TechCrunch, which first reported the number of users affected.

According to the report, 23andMe revealed on Friday that hackers managed to breach the personal data of around 0.1% of its customers, which amounts to roughly 14,000 individuals. The company also disclosed that through these compromised accounts, the hackers gained access to a considerable number of files containing profile information related to the ancestry of other users. However, 23andMe did not specify the exact number of users affected by this breach, which was initially made public in early October, TechCrunch reported.

As TechCrunch later learned, it turns out that a substantial number of “other users” fell victim to this data breach – a total of 6.9 million individuals were affected.

In an email sent to TechCrunch on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers had gained access to the personal information of approximately 5.5 million individuals who had opted into the DNA Relatives feature. This feature allows customers to automatically share certain data with others. The compromised data included the individual’s name, birth year, relationship labels, percentage of shared DNA with relatives, ancestry reports, and self-reported location.

Additionally, 23andMe acknowledged that another group of roughly 1.4 million people who opted into DNA Relatives had their Family Tree profile information accessed. This information encompasses display names, relationship labels, birth year, self-reported location, and the user’s decision on whether to share their information. The spokesperson noted that part of the email was marked as “on background,” a condition that requires agreement from both parties in advance. TechCrunch is presenting the response as received, as there was no opportunity to decline the terms.

The reason why 23andMe did not include these specific numbers in its initial disclosure on Friday remains unknown. With the updated figures, it’s evident that the data breach has impacted approximately half of 23andMe’s reported customer base of 14 million.

It all started in early October following multiple reports that the DNA data of over 7 million 23andMe users had been stolen. As we reported last week, the breach mainly focused on users with Ashkenazi Jewish ancestry and compromised data including names, profile photos, genetic ancestry results, date of birth, and geographical location.

23andMe confirmed the incident last week but later denied the data breach incident. Instead, the popular family genetics website said that the hackers guessed the logins for users and then used an opt-in feature called DNA Relatives to access more data. 23andMe also added that it has reported the incident to law enforcement and is asking all customers to change their passwords and use two-factor authentication.

However, Reuters reported that hackers advertised millions of “pieces of data” stolen from 23andMe, citing posts made to an online forum where digital thieves often advertise leaked data. The hackers are attempting to sell the data, with prices ranging from $1 to $10 per account, depending on the quantity.

23andMe is a human genome research company enabling users to study their ancestry, genealogy, and inherited traits. It was founded in 2006 by Linda Avey, Paul Cusenza, and Anne Wojcicki to provide genetic testing and interpretation to individual consumers. In 2007, Google invested US$3,900,000 in the company, along with Genentech, New Enterprise Associates, and Mohr Davidow Ventures. Wojcicki was married to Google co-founder Sergey Brin at the time.