Company says it believes breach was the result of customers recycling passwords
DNA-testing company 23andMe confirmed Monday that information about 6.9 million people, about half of its 14 million customers, was accessed illegally.
“Roughly 5.5 million customers had their 23andMe DNA Relatives profile files accessed in an unauthorized manner,” a company spokesperson said in an email to MarketWatch. “Additionally, roughly 1.4 [million] customers participating in the DNA Relatives feature had their Family Tree profile information accessed, which is a limited subset of the DNA Relative profile information.”
The spokesman added that the company (ME) has no indication “there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”
The spokesperson continued: “Rather, our investigation indicates threat actors were able to access accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”
The breach was originally reported by 23andMe in October.