Genetic testing company 23andMe has disclosed a hack involving ancestry and health-related information of 6.9 million users.
A hacker was able gain access to roughly 5.5 million users of the site's DNA Relatives (DNAR) feature as well as an additional 1.4 million users who use its Family Tree profile feature, a 23andMe spokesperson told Kiplinger in an email.
After learning of a cyber threat on October 1, the company investigated and found that a hacker had gained access to about 14,000 accounts of users who used the same usernames and passwords that they used on other websites that were previously compromised or were otherwise available, according to a Securities and Exchange Commission filing.
With access to the 14,000 accounts, the hacker was able obtain information within DNAR profiles. This includes display names, how recently the user logged into their account, their relationship labels and predicted relationships and the percentage of DNA shared with their DNA relative matches. It may also include ancestry reports and matching DNA segments, self-reported locations including city and zip code, ancestor birth locations and family names, profile pictures, birth years, a weblink to a family tree, and anything the user wrote in the “introduce yourself” section of their profiles.
Information in the Family Tree profiles includes display names and relationship labels, and may include birth years and self-reported locations.
“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” the spokesperson said. “The company will continue to invest in protecting our systems and data.”
What to do if you’ve been hacked
As required by law, 23andMe is in the process of notifying affected users, the company said in a December 1 blog post. 23andMe recommends following the blog for updates as its investigation continues.
The company also encourages its customers to take action to keep their accounts and passwords secure. It recommends taking these specific steps:
- Change your password: And given that the hack was a result of users using the same usernames and passwords on multiple sites, you'll want to create a new, unique one.
- Set up two-factor authentication: Existing customers will receive an email containing instructions on setting up two-factor authentication and new users will be automatically enrolled.
If you are or become a victim of a data breach, taking action within the first 48 hours can make a big difference in protecting your information, experts say.