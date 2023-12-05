The personal information of an estimated 6.9 million users of genetic testing company 23andMe was stolen by hackers in a recent data breach, a company spokesperson confirmed to The Hill on Monday.

A spokesperson for 23andMe told The Hill that data on an estimated 5.5 million users was accessed from the company’s DNA Relatives feature, which helps users find and connect with family relatives who have the feature enabled.

The hackers also breached data from an additional 1.4 million people’s Family Tree profiles, which includes a variety of identifying information about the user, the spokesperson said.

TechCrunch first reported that an estimated 6.9 million users were affected by the breach.

23andMe first announced the data breach in early October and said both third-party forensic experts and federal law enforcement officials were assisting in the investigation.

Last Friday, the company said the investigation was complete, and filed findings with the U.S. Securities and Exchange Commission.

In the findings, the company said that hackers were able to access 0.1 percent of the company’s user data, which the company called a “very small percentage.” The spokesperson confirmed on Monday that this amounts to about 14,000 users.

According to the spokesperson, the hackers were able to access accounts in cases where usernames and passwords used on the 23andMe website matched those used on other websites that had previously been compromised.

The hackers used this information to access DNA relatives profile files and family tree profile information, the spokesperson said.

“We have no indication that a breach or data security incident occurred within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said.

The company said last Friday that it had “taken steps” to protect user data, including asking existing consumers to reset their passwords and implementing a two-step verification method for both new and existing users.

Following 23andMe’s initial announcement of the data breach in October, Connecticut State Attorney General William Tong requested additional information on the incident, which he accused of targeting the data of individuals with Ashkenazi Jewish and Chinese heritage.

Tong claimed that the hack led to the sale of at least one million data profiles with Ashkenazi Jewish heritage on the illegal market and that another leak exposed data belonging to hundreds of thousands of people of Chinese ancestry.

At the time, a spokesperson for 23andMe told The Hill that its investigation showed that “threat actors were able to access some accounts in cases where users recycled login credentials.”

The Hill contacted the Connecticut State Attorney General’s Office and 23andMe for updates on Tong’s inquiry.

Source: thehill.com