#6.9 million users of 23andMe had personal information stolen by hackers

An estimated 6.9 million users of the genetic testing company 23andMe had their personal information stolen by hackers in a recent data breach, a company spokesperson confirmed to The Hill on Monday.

A spokesperson for 23andMe told The Hill an estimated 5.5 million users had their data accessed from the company’s DNA Relatives feature, which helps users find and connect with family relatives who also have the feature enabled.

Hackers also breached the data of an additional 1.4 million people’s family tree profiles, which includes a variety of identifying information about the user, the spokesperson said.

TechCrunch first reported the estimated 6.9 million users impacted in the breach.

23andMe first announced the data breach in early October and said both third-party forensic experts and federal law enforcement officials were assisting in the investigation.

Last Friday, the company said the investigation was complete, and filed findings with the U.S. Securities and Exchange Commission.

In the findings, the company said hackers were able to access 0.1 percent of the company’s user data, which the company called a “very small percentage.” The spokesperson confirmed Monday this equals about 14,000 users.

Hackers were able to access accounts in instances where usernames and passwords that were used on the 23andMe website matched those used on other websites that were previously compromised, according to the spokesperson.

The spokesperson added the hackers used this information to access the DNA Relatives profile files and Family Tree profile information.

“We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson noted.

The company last Friday said it has “taken steps” to protect user data, including asking existing consumers to reset their password and enforcing a two-step verification method for both new and existing users.

Following 23andMe’s initial announcement of the data breach in October, Connecticut State Attorney General William Tong requested additional information on the incident, which he alleged targeted the data of individuals with Ashkenazi Jewish and Chinese heritage.

Tong claimed the hack led to the sale of at least one million data profiles with Ashkenazi Jewish heritage on the illegal market and that another leak exposed data related to hundreds of thousands of people with Chinese ancestry.

At the time, a 23andMe spokesperson told The Hill its investigation suggested “threat actors were able to access certain accounts in instances where users recycled login credentials.”

The Hill reached out the Connecticut state attorney general’s office and 23andMe for an update on Tong’s inquiry.