Hackers compromised the data of approximately 6.9 million customers of 23andMe, the company acknowledged on Monday.
The findings by the genetic testing company came after an investigation 23andMe launched in October, NBC News reported. The California-based company said that at least one list of data was posted online of people whom the site identified as having Ashkenazi Jewish ancestry.
According to TechCrunch, which first reported the breach, the stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location. For some users, health-related information based on their genetic profiles was also breached, Bloomberg reported.
NBC News reported that the hackers gained access to some customer accounts through reused passwords. The hackers then exploited some 23andMe features that give users significant information about each other.
On Friday, 23andMe announced that hackers had accessed the personal data of approximately 14,000 customers, TechCrunch reported. Company spokesperson Katie Wilson, in an email to the tech website, confirmed that hackers had accessed the personal information of approximately an additional 5.5 million people who had opted-in to 23andMe’s DNA Relatives feature.
DNA Relatives loosens privacy restrictions by allowing customers to automatically share some of their data with other people, NBC News reported.
According to TechCrunch, Wilson said that 23andMe also confirmed that another group of approximately 1.4 million customers who used the DNA Relatives option also “had their Family Tree profile information accessed.”
The data breach potentially affects nearly half of 23andMe’s base of 14 million customers, TechCrunch reported.
In early October, a person claimed to have stolen the DNA information of 23andMe users in a post on a well-known hacking forum, TechCrunch reported. The hacker then allegedly posted the information for sale on the internet earlier this year, according to Bloomberg.
The hacker allegedly asked would-be buyers to pay between $1 and $10 for the data for each individual account, TechCrunch reported. Two weeks later, the poster advertised the alleged records of another 4 million people on the same hacking forum.
In a blog published on Friday, 23andMe said the company has “taken steps to further protect customer data.”
Customers are now required to reset passwords, and two-step verification is now required for all existing and new users.
On Nov. 1, customers for 23andMe rival Ancestry.com received an email notice that they will begin requiring two-step authentication during the sign-in process.
In a previous blog post on Oct. 20, 23andMe announced that it had temporarily disabled some of the features within the DNA Relatives tool “as an additional precaution to protect the privacy of our customers.”
Officials at 23andMe do not expect a major financial fallout from the incident, NBC News reported. In a Securities and Exchange Commission filing about the breach that was updated on Saturday, the company said it only expects to lose between $1million and $2 million in “one-time expenses related to the incident.”
“The company will continue to invest in protecting our systems and data,” the 23andMe blog post stated on Friday.