(CNN) — A hacker or hackers have accessed nearly seven million profiles of 23andMe customers, a spokesperson for the genetic testing firm told CNN on Tuesday, including in some cases users’ ancestry reports, zip codes and birth years.
A Friday filing from 23andMe to the Securities and Exchange Commission said that about 0.1% of the company’s user accounts, or roughly 14,000, had their accounts breached by the hackers.
23andMe is standing by that number but is also now telling reporters that the hackers were able to access some 5.5 million profiles that use a company feature called DNA Relatives that allows users to find genetic relatives. In addition, the hackers accessed a subset of family tree information on 1.4 million DNA Relatives profiles, the 23andMe spokesperson said in an emailed statement.
Engadget, a tech news outlet, first reported on the wider impact of the hack.
It’s the latest hack to affect a major US corporation that has impacted far more people than initial news reports suggested. Last month, identity management firm Okta admitted that hackers had stolen data on all users in Okta’s customer support system, after initially reporting in September that less than 1% of more than 18,000 were affected.
In the case of 23andMe, the hackers reused old usernames and passwords from other websites to break into 23andMe customer accounts — a rudimentary but effective technique called credential stuffing.
The 23andMe spokesperson, who declined to be named, did not respond to questions about who carried out the hack.
“23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law,” a statement posted Saturday evening to the company’s website says. “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers.”
The-CNN-Wire
™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.