Thu | Dec 7, 2023 | 11:03 AM PST

New revelations have shed light on the extensive fallout of the 23andMe data breach, which has exposed the personal information of a staggering 6.9 million users.

This significant update comes almost two months after the genetic testing company initially reported a breach affecting 14,000 individuals. The SEC filing accompanying these recent developments reveals critical information about the breach's scope, underlining the severity of the situation.

The breach targeted users who had opted into 23andMe's DNA Relatives feature, TechCrunch reports. Among the impacted individuals:

  • Around 5.5 million people had their personal information accessed, including names, birth years, relationship labels, DNA sharing percentages, ancestry reports, and self-reported locations.
  • An additional 1.4 million users had their Family Tree profile information compromised, which included display names, relationship labels, birth years, self-reported locations, and their decision to share information.

With this latest revelation, the breach is now known to affect approximately half of 23andMe's reported 14 million customers.

The breach was initially disclosed in early October when a hacker claimed to have stolen DNA information, particularly targeting users of Jewish Ashkenazi descent and Chinese origin. The hacker's activities included publishing alleged data on a well-known hacking forum and seeking buyers for the compromised information.

23andMe attributed the breach to customers reusing passwords, allowing hackers to exploit publicly known passwords from other data breaches. This method enabled the attackers to brute-force their way into victims' accounts.

[RELATED: Websites Should Prevent Using Leaked Passwords]

TechCrunch's investigation revealed that some of the leaked data matched genetic information previously published by hobbyists and genealogists. This finding suggests that at least part of the compromised data is authentic 23andMe customer information.

The impact was further magnified by 23andMe's DNA Relatives feature, which allowed hackers, by accessing one individual account, to gain access to the personal data of both the account holder and their relatives.

The scale of this breach raises serious concerns about the security of genetic and personal data entrusted to companies like 23andMe. The revelations may have profound legal implications, especially in the context of the ongoing class action lawsuits filed against the company.

As investigations continue, affected users grapple with compromised information, highlighting the urgent need for genetic data companies to strengthen cybersecurity measures. 

Follow SecureWorld News for more stories related to cybersecurity and data privacy.