About half of Bay Area-based 23andMe’s users had personal data stolen

A hacker gained access to the personal information of millions of 23andMe users, including some DNA information, the South San Francisco-based company confirmed to SFGATE on Tuesday.

Initially the hacker broke into 14,000 accounts with usernames and passwords compromised elsewhere on the web, company spokesperson Scott Hadly said. But thanks to 23andMe’s “DNA Relative” tool, which lets users connect with genetic relatives, the hacker was able to see private information from 6.9 million profiles that was shared with those original accounts, according to Hadly.

The extent of the hack was first reported by TechCrunch on Monday, after 23andMe initially announced in October that its user data had been compromised.

Of the 6.9 million affected profiles, Hadly said 5.5 million are DNA Relative profiles. Through a compromised account, the hacker could see another user’s display name, how recently they logged into their account and the percentage of DNA shared with their genetic matches. Hadly said the visible data, for some accounts, also included ancestry reports, lists of matching DNA segments, ancestor birth locations, ZIP codes and profile photos.

The other 1.4 million accounts coughed up less information, Hadly said, but the hacker still could see users’ display names and “relationship labels,” as well as birth years and self-reported location information for some.

In May, 23andMe told investors that its user base had grown to “14 million genotyped customers.” The company’s genetic tests are known for linking users to distant relatives and showing people what parts of the world their ancestors lived in, but that web of genetic connections appears to have been exactly what made the site susceptible to the larger hack after the original break-in.

“We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” Hadly said. Instead, the company blames “credential stuffing,” where usernames and passwords leaked in a separate breach are used to break in to another platform.

“We are in the process of notifying affected customers,” he added, “and have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers.”

Wired and TechCrunch reported in October that hackers were posting claims that they had stolen huge swaths of 23andMe user information on a popular hacking forum. One hacker, Wired reported, posted a data sample claiming it contained a million data points about Ashkenazi Jews and then, a few days later, said they were selling 23andMe profiles for $1 to $10 each. 

Such information could help scammers find family connections, or supply fraudsters with information for identity theft.

This story has been updated.

Hear of anything happening at 23andMe or another tech company? Contact tech reporter Stephen Council securely at [email protected] or on Signal at 628-204-5452.