Hackers accessed the personal data of millions of people who used services from the23andMe in October, the company confirmed Monday.
When did 23andMe know about the hack?
The company launched an investigation in October after a "threat actor" claimed online to have 23andMe users' profile information.
A spokesperson at the time said the company believed threat actors targeted the accounts of 23andMe users who had reused usernames and passwords from other sites that had been hacked. The spokesperson didn't reveal how many people had been impacted by the hack.
On Friday, the company acknowledged in a filing with the Securities and Exchange Commission that the hacker accessed 0.1% of 23andMe's user accounts.
While the hacker only accessed about 14,000 accounts through the attack, a feature on 23andMe allows users to see information about possible relatives, a company spokesperson said. By exploiting this feature, the hacker was able to view the information of millions of users.
A 23andMe spokesperson on Monday clarified that about 5.5 million customers had their "DNA Relatives" profiles accessed in an unauthorized manner. The profiles contain information such as display names, predicted relationships with others and the DNA percentages the user shares with matches.
Additionally, about 1.4 million customers participating in the Relatives feature had their "Family Tree" profile information accessed, which 23andMe describes as a limited subset of the Relatives profile data.
As of Friday, 23andMe said it was still in the process of notifying affected customers. The company is now requiring existing customers to reset their passwords and enable two-step verification.
The company said it believes "threat actor activity is contained."
What is 23andMe?
The company analyzes people's DNA from saliva samples provided by customers. The company produces reports about the customers' DNA that includes information about their ancestry and genetic health risks.
for more features.