Genetic testing company 23andMe disclosed late Saturday that its recent data breach impacted significantly more customers than previously reported, according to a recent TechCrunch report. Originally stating that the breach compromised the personal data of only 14,000 individuals, 23andMe has now confirmed that nearly 7 million customers were impacted.
In an email to TechCrunch, 23andMe spokesperson Katie Watson stated that in addition to the 14,000 direct account breaches, the hackers could access profile information for 5.5 million customers who used the DNA Relatives feature. This feature lets people connect and share ancestry information with genetic relatives in the 23andMe database. Due to the interconnected nature of this service, the data exposed included names, birth years, relationship labels, percentage of shared DNA, ancestry reports, and self-reported locations.
Watson confirmed that profile data was accessed for another 1.4 million users
Additionally, Watson confirmed that profile data was accessed for another 1.4 million DNA Relatives users, including display names, relationship labels, birth years, locations, and sharing preferences. Combined with the 14,000 known direct account breaches, 23andMe now acknowledges that personal information was obtained for over 6.9 million individuals – nearly half of its total reported customer base.
Why were these numbers not reported at first?
The company has not clarified why these significantly higher numbers were not reported initially when it first disclosed the breach in early October. At that time, a hacker posted stolen 23andMe customer data on a hacking forum as proof of the breach. TechCrunch’s analysis found that some of the published records matched with public genetic data, suggesting authenticity.
23andMe maintains that the breach was enabled by customers reusing passwords compromised in other security incidents. By brute-forcing access to accounts protected by common, previously breached passwords, the hackers exploited the connections within the DNA Relatives network to access information about relatives as well.
The scale of the 23andMe breach was amplified exponentially due to this relative-matching feature.
Security experts emphasize the importance of using unique passwords across different accounts and enabling multi-factor authentication whenever possible. 23andMe stated it has implemented additional protections going forward, but the sensitive personal information of millions has already been exposed.
Featured Image Credit: GoogleDeepMind; Pexels