It’s now been confirmed that an additional 6.9 million 23andMe users had ancestry data stolen after hackers accessed thousands of accounts by likely reusing previously leaked passwords.
23andMe previously disclosed in a Securities and Exchange Commission filing that 0.1 percent of users—approximately 14,000, TechCrunch estimated—had accounts accessed by hackers using compromised passwords.
After the cyberattack was reported, Wired estimated that “at least a million data points from 23andMe accounts” that were “exclusively about Ashkenazi Jews” and data points from “hundreds of thousands of users of Chinese descent” seemed to be exposed. But beyond those estimates, for two months, all the public knew was that 23andMe’s filing noted that “a significant number of files containing profile information about other users’ ancestry” were also accessed.
TechCrunch pushed 23andMe to verify exactly how many “other users” were impacted, prompting a spokesperson to confirm that two groups of users who opted into the DNA Relatives feature had their personal data stolen.
23andMe describes the DNA Relatives feature as “one of the most interactive features” offered on the site, “allowing you to find and connect with genetic relatives and learn more about your family.” By opting in, users hope to find lost family members by willingly giving others access to information like their birth year, current location, and ancestors’ names and birth locations. Users can opt out at any time, but if they do, it makes it harder to detect relatives “on any branch of your family tree,” the website says.
The largest group, spanning about 5.5 million users, was hacked after opting into automatically sharing information with DNA Relatives, including their “name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location,” TechCrunch reported. The smaller group, about 1.4 million users, shared “Family Tree profile information” that was hacked, including display names, relationship labels, birth year, and self-reported location, TechCrunch reported.
Asked for comment, a 23andMe spokesperson linked Ars to a blog noting that all impacted users are currently being notified. The company has not clarified why it did not disclose these exact numbers when announcing the cyberattack. According to TechCrunch, these new numbers suggest that nearly half of 23andMe’s 14 million users were hacked.
When the hack was first reported, a nonprofit dedicated to defending online privacy, the Electronic Frontier Foundation (EFF), reported that “there are no federal laws that clearly protect users of online genetic testing sites like 23andMe.” While 23andMe recommended that all users strengthen their passwords, EFF went one step further and suggested that users consider disabling the DNA Relatives feature, especially if they’re not actively using it. EFF also provided a tutorial for users preparing to download their 23andMe data and delete their accounts.
To entice users to stick around, 23andMe has also worked to enhance account security since the breach, its blog said.
“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” the blog said. “The company will continue to invest in protecting our systems and data.”
23andMe says that its investigation has concluded, but it appears its troubles have only begun. The popular DNA testing site told the SEC that it expects to spend $1 million to $2 million responding to the incident through the end of the fiscal year. 23andMe also reported that it’s defending against multiple class-action lawsuits filed in US federal and state courts, as well as courts in British Columbia and Ontario, Canada. Consumers in California have also filed complaints under the California Consumer Privacy Act, and various governmental officials and agencies have made inquiries.
“The full scope of the costs and related impacts of this incident and related litigation, including, without limitation, the availability of insurance to offset some of these costs, cannot be estimated at this time,” the SEC filing said.