23andMe data breach affected 6.9 million customers

The DNA testing company was hacked by cybercriminals trying to sell its user data online
23andMe

Users of genetic home-testing company 23andMe are being warned that cybercriminals may have leaked their data after it was confirmed that a recent data breach affected 6.9 million profiles. 

The breach was disclosed in early October when it was thought that only 14,000 profiles were affected. 

Here, we explain how the data was exposed and what to do if you’ve been affected. 

How was 23andMe hacked?

On 1 October 2023, an anonymous person posted on a criminal marketplace, claiming to have 23andMe users’ profile information for sale. Wired.com reported that they were attempting to sell stolen 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. 

A hacker reportedly used old passwords to gain access to private 23andMe profiles.

23andMe said the ‘threat actor was able to access a very small percentage (0.1%) of user accounts’, equivalent to around 14,000 profiles, and this was due to customers using the same passwords on the 23andMe website as those used on other websites that had been previously compromised or were otherwise available. 

It told Which?: ‘We have no indication that there has been a breach or data security incident within our own systems, or that 23andMe was the source of the account credentials used in these attacks.’

What 23andMe data was leaked?

Through the initial 14,000 profiles that were breached, the hacker was able to access a significant number of files containing profile information about other users’ ancestry. 23andMe said they accessed roughly 5.5 million DNA Relatives profile files, while another 1.4 million customers participating in the DNA Relatives feature had their Family Tree profile information accessed.

23andMe shared the following information on what type of data is included in each profile:

  • DNA Relatives Profile: includes display name, how recently they logged into their account, their relationship labels, and their predicted relationship and percentage DNA shared with their DNA Relatives matches. Also may include their ancestry reports and matching DNA segments (specifically where on their chromosomes they and their relative had matching DNA), self-reported location (city/zip code), ancestor birth locations and family names, profile picture, birth year, a weblink to a family tree they created, and anything else they may have included in the ‘Introduce yourself’ section of your profile.
  • Family Tree profile: includes display name, relationship labels, and may include: birth year and self-reported location (city/zip code) information. The Family Tree feature doesn’t include the percentage DNA shared with their DNA Relatives matches, ancestry reports or matching DNA segment information.

What action has 23andMe taken?

23andMe told customers it’s notifying affected customers, as required by law. 

It has added a new requirement for all customers to reset their passwords and encouraged use of two-factor authentication (2FA).

You can contact customercare@23andme.com if you need help securing your account. 

What should you do when there’s a data breach?

If a company has lost your personal data, there are procedures it must follow. In the UK, the company is obligated by the Data Protection Act 2018 (GDPR) to tell you about the breach without undue delay. 

It should explain to you:

  • the name and contact details of its data protection officer or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

You should be encouraged to change login information such as passwords and usernames for other websites or online accounts if these are similar or the same as the ones that have been leaked.

It’s sensible to keep an eye on your bank accounts and credit report over the next few months, reporting anything unusual to your bank immediately. Be wary of unsolicited messages as scammers will use public data breaches as an opportunity to send fake messages eg about updating your password or receiving compensation. 

If you are concerned about how your data has been handled, the Information Commissioner’s Office (ICO) offers advice and support. 

You can also complain and claim compensation if your data is lost and it causes you financial damage or distress.