Details are emerging about a data breach at genetic testing company 23andMe, first reported in October. The situation is growing murkier, causing greater uncertainty for users. Initially, 23andMe reported that attackers accessed some user accounts and used this to scrape data from a larger group through the DNA Relatives social sharing service. In a recent SEC filing, the company disclosed that the threat actor accessed approximately 0.1% of user accounts, translating to around 14,000 users out of the 14 million customer base.
However, this figure didn’t account for users impacted by the data-scraping from DNA Relatives. Further clarification revealed that the attackers collected personal data from about 5.5 million people who had opted into DNA Relatives and information from an additional 1.4 million users whose Family Tree profile data was accessed. The evolving nature of the breach underscores the challenges in accurately gauging the scope of the incident, leaving users with increasing uncertainty about the impact on their data.
From the group of 5.5 million people, hackers stole display names, most recent login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches.
In some cases, this group also had other data compromised, including ancestry reports and details about where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. Details are emerging
The smaller (but still massive) subset of 1.4 million impacted DNA Relatives users all had data compromised from the aforementioned specific profile known as “Family Tree.” The stolen data included display names and relationship labels and, in some cases, birth years and self-reported location data.