Hackers Obtained Access to Millions of 23andMe Profiles, Company Says

Madeline Leesman | December 05, 2023 12:15 PM

Millions of users of the genetic testing company 23andMe had their personal information stolen by hackers, the company announced this month.

In a U.S. Security and Exchange Commission disclosure dated December 1, 23andMe explained that on Oct. 1, a “threat actor” posted online that they had obtained users’ profile information (via SEC.gov):

Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available
[...]
The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.

According to multiple outlets, an estimated 6.9 million users were impacted in the breach. Reportedly, it began as thousands of users had their accounts hacked because their usernames and passwords corresponded with those on other websites that were compromised. From that point, about 5.5 million users had their data accessed from the company’s DNA Relatives feature. An additional 1.4 million users had their data breached through “family tree” profiles, a company spokesperson told The Hill.