The massive leak was announced last October, but was for the moment only a hypothesis. This Tuesday, the genetic genealogy company 23andMe finally confirmed on Tuesday that hackers using “recycled” and stolen passwords had accessed the personal data of 6.9 million of its members.
Although the hackers were only able to access around 14,000 accounts, or 0.1% of
accounts on the site, they were able to see information shared with 23andMe by other people, relatives with genetic ties to users, a spokesperson said in response to an AFP query.
“No indication that there was a security breach or incident”
23andMe is notifying affected customers and has increased account security by asking users to reset their password and set up a second authentication method, such as sending a temporary code to a phone portable, according to the spokesperson.
In early October, 23andMe detected that hackers had hijacked the accounts of users who used the same passwords on several websites, without knowing that their credentials had been compromised elsewhere, the company said. “We have no indication that there has been a data security breach or incident in our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson assured.
Access to DNA parentage profiles
The hackers accessed the “DNA parentage profiles” of 5.5 million accounts, which contained information about genetic matches and could also include dates of birth and locations if users provided them, according to 23andMe.
They were also able to see DNA profile information from 1.4 million accounts that had participated in a “Family Tree” option. 23andMe was founded in 2006 and is based in Mountain View, California, where Google is also headquartered.