More details are emerging about Genetic testing company 23andMe data leaked First reported in October. But as the company shares more information, the situation becomes murkier, creating greater uncertainty for users trying to understand the consequences.
23andMe said in early October that attackers had penetrated some of its users’ accounts and used that access to steal personal data from a larger subset of users through DNA Relatives, the company’s opt-in social sharing service. The company hasn’t shown how many users were affected, but hackers have begun selling data on criminal forums that appears to come from at least 1 million, if not more, 23andMe users. Submit on Fridaythe company said that “threat actors were able to access a small percentage of user accounts (0.1%),” or considering the company’s roughly 14,000 user accounts latest estimate It has more than 14 million customers.
Fourteen thousand people is a lot on its own, but that number doesn’t take into account the users who were affected by attackers stealing data from DNA relatives. The SEC filing noted that the incident also involved “a large number of documents containing only profile information” about the ancestry of other users. “
Monday, 23andMe Confirmed to TechCrunch The attackers collected the personal data of approximately 5.5 million people who opted into DNA Relatives, as well as information on an additional 1.4 million DNA Relatives users “whose family tree profile information was accessed.” 23andMe subsequently shared this expanded information with 23andMe and Wired as well.
From a group of 5.5 million people, hackers stole display names, recent login information, relationship tags, predicted relationships and percentage of DNA shared with DNA relative matches. In some cases, other data about the group was also compromised, including ancestry reports and details about where on the chromosome they and their relatives had matching DNA, self-reported locations, ancestral birthplaces, surnames, and personal data Pictures, birth year, self-created family tree links, and other profile information. A subset of the 1.4 million affected DNA relatives users’ display names and relationship tags were particularly affected, and in some cases, birth year and self-reported location data were also affected.
When asked why this expanded information did not appear in the SEC filing, 23andMe spokesperson Katie Watson told Wired, “We are simply clarifying that the SEC filing contains more specific numbers by providing more specific numbers. Information.”