Set up in 2006, 23andMe develops at-home DNA testing kits. Now, nearly half of its user base has been affected by a recent data breach.
Hackers stole personal ancestry data of 6.9m people who had used the 23andMe genetic testing service, the US company has confirmed to media outlets.
Dating back to October, the data breach included ancestry reports, DNA data, birth dates and health-related information based on genetics for some users.
“The threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online,” the company wrote in an October filing.
“We are working to remove this information from the public domain. As of the filing date of this amendment, the company believes that the threat actor activity is contained.”
While the number of users affected was not revealed initially, it has now emerged that nearly 7m people’s data has been breached as a result of the hack, a spokesperson told TechCrunch over the weekend. 23andMe has around 14m users in total.
Set up in 2006, 23andMe develops at-home DNA testing kits and has been one of the companies at the forefront of this sector.
In 2021, 23andMe went public on the Nasdaq by merging with a special purpose acquisition company set up by Virgin’s Richard Branson. It raised nearly $600m in its stock market debut at a $3.5bn valuation.
A spokesperson for the California-headquartered company told media outlets that hackers were able to gain access to the data through a small number of customers reusing passwords that were compromised through separate breaches on other websites.
Javvad Malik, lead security awareness advocate at KnowBe4, said that the data breach is a “sobering reminder” of the sensitivity of genetic data and the need for “robust” cybersecurity measures.
“The data accessed is not just a collection of email addresses or passwords, but intimate details of an individual’s genetic make-up – information that could have serious implications for privacy and could potentially be misused,” he said.
“It’s concerning to see that only 0.1pc of the customer base was affected, but due to the nature of the service, this apparently small percentage has a ripple effect, as the DNA Relatives feature extends the impact of the breach far beyond the initial accounts compromised.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.