23andMe hackers accessed ancestry information from thousands of customers and their DNA relatives

An SEC filing has revealed more details on a data breach affecting 23andMe users that was disclosed earlier this fall. The company says its investigation found hackers were able to access information from 0.1 percent of its userbase, or the accounts of about 14,000 of its 14 million total customers, TechCrunch notes. On top of that, the attackers were able to exploit 23andMe’s opt-in DNA Relatives feature to access “profile information about other users’ ancestry.” 23andMe hasn't said how many of these users were affected. Hackers posted information from both groups online.

When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.” According to the new filing, the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” All of this was obtained through a credential-stuffing attack, in which hackers used login information from other, previously compromised websites to access those users’ accounts on other sites. In doing this, the filing says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”

Engadget has reached out to 23andMe for comment. Following the discovery of the breach, 23andMe instructed affected users to change their passwords and later rolled out two-factor authentication for all of its customers. In another update on Friday, 23andMe said it had completed the investigation and is notifying everyone who was affected. The company also wrote in the filing that it “believes that the threat actor activity is contained,” and is working to have the publicly-posted information taken down.