Hackers have accessed the personal data of nearly 7 million 23andMe users, the biotechnology company has confirmed.
23andMe had previously said in a Securities and Exchange Commission filing dated Friday that it concluded an investigation it launched in coordination with third-party forensics experts to look into an online claim made on Oct. 1 by hackers who said they had accessed user data from the platform.
The probe found that hackers accessed “a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available,” the company said.
The filing also mentioned that hackers “accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online,” but without specifying the number of people affected.
The company added that it is in the process of removing that information from the public domain and believes “the threat actor activity is contained.”
It has, however, since come to light that the hackers accessed the personal information of nearly half of the company’s total number of users.
A 23andMe spokesperson said hackers obtained roughly 5.5 million DNA Relatives profile files, which include a user’s display name, the percentage of DNA shared with their DNA relative matches and relationship labels, among other things.
The actor also reportedly stole the Family Tree profile information of another 1.4 million users who opted into the DNA Relatives feature, including their display names, relationship labels as well as birth year and self-reported location if the user chose to share that information.
“Of note, we do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” a spokesperson for the company told HuffPost.
The company said it is working to notify everyone impacted by the hack as required by law.
“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” they said in a note posted on their website Friday. “The company will continue to invest in protecting our systems and data.”