What many may not realize is, that if a relative sent in their DNA sample, yours was compromised as well.
23andMe confirms hackers stole ancestry data on 6.9 million users.
On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.
As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.
In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said. (23andMe declared part of its email as “on background,” which requires that both parties agree to the terms in advance. TechCrunch is printing the reply as we were given no opportunity to reject the terms.)
It is also not known why 23andMe did not share these numbers in its disclosure on Friday.
Considering the new numbers, in reality, the data breach is known to affect roughly half of 23andMe’s total reported 14 million customers.
In early October, a hacker claimed to have stolen the DNA information of 23andMe users in a post on a well-known hacking forum. As proof of the breach, the hacker published the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users, asking would-be buyers for $1 to $10 for the data per individual account. Two weeks later, the same hacker advertised the alleged records of another four million people on the same hacking forum.
CONTACT US
Do you have more information about the 23andMe incident? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.
When we analyzed the months-old leaked data, TechCrunch found that some records matched genetic data published online by hobbyists and genealogists. The two sets of information were formatted differently, but contained some of the same unique user and generic data, suggesting the data leaked by the hacker was at least in part authentic 23andMe customer data.
In disclosing the incident in October, 23andMe said the data breach was caused by customers reusing passwords, which allowed hackers to brute-force the victims’ accounts by using publicly known passwords released in other companies’ data breaches.