Genetic testing firm 23andMe confirmed Monday that hackers were able to access the data of 6.9 million users, about half the company’s customer base.
The California-based company said hackers accessed 5.5 million profiles that were using a feature called DNA Relatives, which allows people to find genetic relatives. Hackers were also able to access family tree information from another 1.4 million DNA Relatives profiles.
In some cases, the hackers gained access to users’ ancestry reports, zip codes, and birth years, 23andMe said.
“23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law,” the company said in a statement posted Saturday evening to 23andMe’s website.
“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” the company said.
Last week, 23andMe said hackers had accessed data from about 14,000 users or 0.1% of its customers.
In order to pull off the data breach, the hackers reused old usernames and passwords from other websites that had already been compromised, a tactic known as credential stuffing.
“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” a company spokesperson told Fox Business.
The company also said on Monday that it has not learned of “any reports of inappropriate use of the data after the leak.”
In October, profile information from 23andMe customers reportedly started showing up on a dark web forum used by hackers.
The company is currently working on notifying all customers who were affected by the breach, as required by law, although the timeline for when everyone will have been notified is not clear.
CLICK HERE TO GET THE DAILYWIRE+ APP
Critics have warned against providing such personal information to companies, saying it can always be stolen.
“Should we be providing data that is so personal and so intimate to an organization that, largely speaking, only has a strong allegiance to their investors and their boards?” Ramesh Srinivasan, a professor at the University of California, Los Angeles department of information studies, remarked to The New York Times.
23andMe is not the first firm to have a major data breach.
Last month, Okta, an identity management firm, admitted that a data breach was worse than expected. Hackers likely stole data from all recent users of Okta’s Help Center service, the company said.