In a major security breach, genetic testing company 23andMe confirmed that hackers accessed personal information from approximately 6.9 million users. The breach, which affected over half of its customer base, was not a direct attack on the company but rather a result of cybercriminals utilising old passwords from other breaches to gain unauthorised access.
While 23andMe assured that DNA records were not compromised, the stolen data includes sensitive details such as family trees, birth years, geographic locations, and more. The hackers, who infiltrated about 14,000 individual accounts using exposed email and password details, went on to access a significant number of files containing profile information about other users’ ancestry.
The stolen information includes names, relationships, birth years, addresses, and even pictures. The breach also allowed hackers to download data related to the DNA relatives feature, affecting approximately 1.4 million customers. This feature displays family tree profile information, including names and relationship labels.
Although one set of data was advertised on a hacking forum as a list of people with Jewish ancestry, there is no current evidence that the stolen datasets have been sold or misused. 23andMe is now in the process of notifying all affected customers as mandated by law. In response to the breach, the company is mandating password changes for impacted users and urging them to enhance their account security, emphasising the critical need for robust cybersecurity measures to safeguard sensitive genetic and personal information.