Genetic testing company 23andMe has confirmed a significant data breach, compromising the personal information of 6.9 million users. The breach, initially reported in October 2023, was more extensive than previously disclosed, affecting a substantial portion of the company’s customer base.
After further investigation, 23andMe revealed that 5.5 million users who opted into the DNA Relatives feature had their data accessed. This exposed sensitive details such as names, birth years, relationship labels, shared DNA percentages, ancestry reports, and self-reported locations. Additionally, 1.4 million users’ Family Tree profiles were compromised, including display names, birth years, and sharing preferences.
The breach, which stemmed from customers reusing passwords, was exploited by hackers through a brute-force attack. The DNA Relatives feature, designed to connect users with relatives, intensified the breach’s impact, as the personal data of both account holders and their relatives were exposed when one account was compromised.
23andMe’s initial reluctance to disclose the full extent of the breach has raised questions about its transparency and security measures. The breach came to light when a hacker claimed to have stolen and offered 23andMe users’ DNA information for sale. Subsequent investigations confirmed the authenticity of at least part of the data, aligning with information published by genealogists.
The breach now appears to affect nearly half of 23andMe’s 14 million customers, underscoring the need for enhanced security and the potential repercussions for those affected.”