A data hack affecting 23andMe users is reportedly far more severe than what representatives first admitted to earlier this year. Although initially reported to affect less than one percent of users, additional datasets assessments confirmed by a company spokesperson over the weekend indicate as many as half of all 23andMe accounts could be involved in the security breach.
Back in October, the popular genetic testing company revealed hackers had gained access to the personal information of a portion of users—such as names, birth years, familial relationships, DNA info, ancestry reports, self-reported locations, and DNA data. 23andMe claims the breach was most likely the result of brute force attacks. In such instances, malicious actors take advantage of a customer’s previously leaked login information, usually repeated passwords and usernames used across multiple internet accounts. 23andMe would not offer concrete numbers for nearly another two months—on December 1, new Securities and Exchange Commission revealed the company estimated only 0.1 percent of users, or roughly 14,000 customers, were directly affected. In the same documents, however, 23andMe also admitted a “significant number” of other users’ ancestry information may have been also tangentially included in the leak.
Over the weekend, TechCrunch speaking with 23andMe officials confirmed the final tally of data breach victims: roughly 6.9 million users, or about half of all accounts.
Those users include an estimated 5.5 million people who previously opted into the service’s DNA Relatives feature, which allows automatic sharing of some personal data between users. In addition to those customers, hackers stole Family Tree profile data from another 1.4 million people who also used the DNA Relatives feature. The increase in victim estimates allegedly stems from the DNA Relatives feature allowing hackers to not only see a compromised user’s information, but the information of all their listed relatives.
[Related: Why government agencies keep getting hacked.]
And while the hacking incidents were first publicly announced in October, evidence suggests the breaches occurred as much as two months earlier. At that time, one user on a popular hacking forum offered over 300 terabytes of alleged 23andMe profile data in exchange for $50 million, or between $1,000 and $5,000 for small portions of the cache.
On a separate hacking forum in October, another user announced their possession of alleged data for 1 million users of Ashkenazi Jewish descent alongside 100,000 Chinese accounts—interested parties could purchase the information for between $1 and $10 an account.
UPDATE 12/7/23 2:06PM: This article has been edited to more accurately reflect certain details of the data breach.