Hackers, using old passwords from customers of the genetic testing company 23andMe, were able to gain access to personal information from about 6.9 million profiles, which in some cases included ancestry trees, birth years and geographic locations, the company said on Monday.
The hackers, using old passwords that 23andMe customers had used on other sites that had been compromised, were initially able to breach about 14,000 profiles — or 0.1 percent — of 23andMe’s users’ accounts, the company said in the S.E.C. disclosure. The hackers would be able to access anything available on those 14,000 profiles, including health and ancestry information, the company spokeswoman said.The breach also opened the door to millions of other profiles of customers — about half of all 23andMe customers — who wanted to use 23andMe to connect with those who had close DNA matches, she said. Users could opt in to a feature called DNA Relatives, where they could provide select information to others on 23andMe who might be a close DNA match.The hackers gained access to information from 5.5 million DNA Relatives profiles, which includes a display name, how recently they logged into their account, percentage of DNA shared with their DNA relatives’ matches and predicted relationship with that person, according to a 23andMe statement.Also, hackers were able to access the Family Tree profile information of about 1.4 million other customers participating in the DNA Relatives feature, including display names and relationship labels. Information may also include birth year and geographic location if the user chose to share that data, the company said. 23andMe is in the process of notifying all affected customers, as required by law.
