Hackers stole ancestry and personal data from nearly half of 23andMe's customers, according to updated numbers Monday after the company first disclosed the breach in early October. File photo by Christopher Schirner/Flickr
Dec. 4 (UPI) -- Hackers stole ancestry and personal data from 6.9 million customers of genetic testing lab 23andMe, according to updated numbers Monday after the company first disclosed the data breach in early October.
The disclosed leak, which compromised ancestry reports, DNA data, birthdates, locations and profile photos, affected nearly half of all of 23andMe's 14 million customers. In early October, 23andMe said hackers had accessed the personal data of about 14,000 customers, or 0.1% of its users.
The breach was first discovered in October when the data of one million users of Jewish Ashkenazi descent, as well as 100,000 Chinese users, was posted for sale on a well-known hacking forum. The alleged records of an additional four million people were posted for sale two weeks later, according to TechCrunch, which first reported the breach.
According to 23andMe, the data breach was caused by customers reusing passwords which allowed hackers to take advantage of passwords released in other companies' data breaches. The leak spread to millions of other users, because the DNA Relatives feature provides both the information of the account holder and all of their relatives.
"We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks," a company spokesperson said.
In response, 23andMe is requiring all users to reset their passwords and to enroll in two-factor authentication which uses both a password and verification on another device. While the company had encouraged customers to protect their accounts with a multi-factor authentication system in 2019, it was not a requirement.
According to a Securities and Exchange Commission filing, dated Oct. 10 and updated Saturday, 23andMe said it expects to lose between $1 million and $2 million in "onetime expenses" related to the breach.