23andMe, a genetic testing company, revealed in an announcement on Friday, December 1, 2023, that the personal ancestry data of 14,000 people (0.1% of their customers) was accessed by hackers from the infamous hacking incident in October. However, in an e-mail sent by the company to TechCrunch on Saturday, it was confirmed that the data of a whopping 6.9 million customers was breached.
Genetic testing companies use different DNA test kits to determine lineage through DNA. A saliva collection kit, which is mailed back to the company's lab after obtaining the sample, is the most common. Within some of the 23andMe leaks were the individual's name, date of birth, geographical location, and relationship labels.
According to the 23andMe website, a customer's lineage composition is determined by comparing the customer's genome with those of "over 14,000 people with known ancestry". When a segment of the user's DNA matches "one of the 47 populations", the ancestry is assigned to the corresponding segment of DNA.
"We calculate the ancestry for individual segments of your genome separately, then add them together to compute your overall ancestry composition," the website states.
6.9 million 23andMe customers had their ancestry data breached
The 23andMe hacking incident in October 2023 led to a massive leak of personal information from the chauffeurs of the popular genetic testing company. According to a company revelation on Friday, the hacking affected 0.1% of their customer base, around 14,000 individuals out of their 14 million customers. However, the company mentioned that certain “other users” were also affected.
As TechCrunch reported, the company specified that by accessing the personal information and ancestry data of those 14,000 customers, “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature” were breached. This feature allows the automatic sharing of an individual’s lineage data with others.
In a separate e-mail to TechCrunch on Saturday, December 9, 23andMe revealed that 6.9 million individuals were affected by the data breach. This included 5.5 million people who used the company's DNA Relatives feature. These people had data of their name, date of birth, geographical location, relationship labels, ancestry reports, and even the amount of DNA shared with relatives stolen.
An additional 1.5 million users who used the DNA Relatives feature had their data stolen due to a breach of their "Family Tree profile." The Family Tree profile resulted in the breach of all the aforementioned personal information and information on whether the individual decided to share the data.
According to the company, 14,000 users were hacked because customers were reusing their passwords and usernames. Information on these reused passwords may have been received through breaches in other companies, which led to brute-force into customer accounts.
The stolen data allegedly resurfaced in a black hat crime forum known as BreachForums in early October. The hacker, who claimed to have all the data, reportedly released the personal data of one million people of Jewish Ashkenazi descent along with that of 100,000 Chinese people.
Wired reported that the hacker issued an asking price of $1 to $10 for individual data. Later, the data of 4 million people were released on the forum. According to the outlet, the hacker claimed that the data contained information regarding the "wealthiest people" from the United States and Western Europe.
TechCrunch revealed that another hacker had advertised the 23andMe data in another forum. On analyzing the data, TechCrunch found that some of the data was from records published by hobbyists and genealogists. However, a part of it was allegedly unique user data from the 23andMe hacks.