Cyberattack On Popular DNA Site, Millions Impacted: What We Know

SOUTH SAN FRANCISCO, CA — A cyberattack that affected the popular DNA ancestry site 23andMe affected millions of people beyond about 14,000 that the company initially said were impacted.

In SEC filings, 23andMe said a cyberattack allowed a threat actor to download certain user profile information from individual user accounts. On Oct. 1, the thief posted online that they had the profile information.

The company, based in South San Francisco, investigated and determined that the threat actor accessed a "very small percentage (0.1%) of user accounts," the filing said. That percentage would amount to about 14,000 people out of its approximately 14 million customers.

Those accounts were accessed in what's known as a credential stuffing cyberattack, the company said. In such an attack, stolen usernames and passwords from previously compromised hacks of other sites are then successfully used on a second site. The 14,000 accounts had personal data accessed, the company said.

Stolen data included information varied by user account, and "generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics." The attacker also posted online "a significant number of files containing profile information about other users’ ancestry" that such users share when opting into the company's DNA relatives feature.

"We are working to remove this information from the public domain," the company said, adding that it also was taking certain steps to further protect user data, such as requiring all users to reset their passwords, and later requiring all new and existing users to login using two-step verification.

On Saturday, TechCrunch first reported the cyberattack also affected millions of accounts beyond the initial 14,000 announced by the company.

23andMe confirmed to Patch Monday afternoon that the threat actor used access to credential-stuffed accounts to access roughly 5.5 million DNA Relatives profile files. Additionally, roughly 1.4 million customers participating in the DNA Relatives feature had their Family Tree profile information accessed, which the company said is a limited subset of the DNA Relative profile information.

Data in the DNA Relatives profiles includes display name, how recently they logged into their account, their relationship labels, and their predicted relationship and percentage DNA shared with their DNA Relatives matches.

Data in the Family Tree profiles includes data accessed included display name and relationship labels, and could include certain information the user chose to share, such as birth year and self-reported location (city/zip code) information. The Family Tree feature does not include the percentage DNA shared with their DNA Relatives matches, ancestry reports or matching DNA segment information.