23andMe, the ancestry and genetics company, acknowledged on Monday that approximately 14,000 accounts were compromised by “threat actors,” resulting in unauthorized access to the ancestry data of 6.9 million individuals. The breach, first reported by TechCrunch, occurred as hackers exploited reused usernames and passwords obtained from other compromised websites.
While the company initially disclosed the incident in October, the extent of the compromised data was not detailed until now. The accessed information encompasses personal and family details, including DNA-related data such as DNA relatives’ profile information, ancestry reports, and matching DNA segments. Additionally, family tree information, display names, relationship labels, birth years, and self-reported locations were among the compromised data.
In a blog post from October, 23andMe reported the breach but refrained from specifying the extent of the compromised data. The company asserted that it launched an investigation into the matter.
23andMe emphasized that there is no evidence suggesting a breach or data security incident within its systems. The compromised accounts constitute approximately 0.1% of the company’s user base, as indicated in a recent filing with the Securities and Exchange Commission.
According to the company, 5.5 million users who opted into the “Relatives” feature, connecting individuals with common DNA, were affected by the breach. An additional 1.4 million users had their family tree information accessed during the unauthorized incident.