Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Kiplinger
Kiplinger
Business
Joey Solitro

23andMe Data Breach Affects 6.9 Million Users

Stealing a credit card through a laptop concept for computer hacker, network security and electronic banking security.

Genetic testing company 23andMe has disclosed a hack involving ancestry and health-related information of 6.9 million users.

A hacker was able gain access to roughly 5.5 million users of the site's DNA Relatives (DNAR) feature as well as an additional 1.4 million users who use its Family Tree profile feature, a 23andMe spokesperson told Kiplinger in an email.

After learning of a cyber threat on October 1, the company investigated and found that a hacker had gained access to about 14,000 accounts of users who used the same usernames and passwords that they used on other websites that were previously compromised or were otherwise available, according to a Securities and Exchange Commission filing.

With access to the 14,000 accounts, the hacker was able obtain information within DNAR profiles. This includes display names, how recently the user logged into their account, their relationship labels and predicted relationships and the percentage of DNA shared with their DNA relative matches. It may also include ancestry reports and matching DNA segments, self-reported locations including city and zip code, ancestor birth locations and family names, profile pictures, birth years, a weblink to a family tree, and anything the user wrote in the “introduce yourself” section of their profiles. 

Information in the Family Tree profiles includes display names and relationship labels, and may include birth years and self-reported locations.

“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” the spokesperson said. “The company will continue to invest in protecting our systems and data.”

What to do if you’ve been hacked

As required by law, 23andMe is in the process of notifying affected users, the company said in a December 1 blog post. 23andMe recommends following the blog for updates as its investigation continues.

The company also encourages its customers to take action to keep their accounts and passwords secure. It recommends taking these specific steps:

If you are or become a victim of a data breach, taking action within the first 48 hours can make a big difference in protecting your information, experts say.

Related Content

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.