This article was last updated on December 5, 2023
The data of 6.9 million people was leaked during a hack of an American commercial DNA database. The company, 23andMe, confirmed this The Verge. Previously, there were far fewer victims.
At 23andMe people can have DNA tested for kinship or hereditary diseases. The company’s tests are also available outside the US, including in the Netherlands. The Dutch Data Protection Authority has not yet received any reports that data from Dutch people has been leaked, but a spokesperson emphasizes that the investigation in the US is still ongoing.
The hackers struck at the beginning of October, but it is only now clear on what scale data was stolen. The company has confirmed that user data has been put up for sale on the dark web in recent months.
23andMe provided more information a few days ago in a letter to the American stock exchange watchdog SEC, but at that time there was much less stolen data.
In the declaration writes 23andMe, this concerns information about the family tree, but in some cases also health information based on the DNA analysis of users.
Using information from other hacks – often involving reused passwords – the perpetrators had managed to log in to the accounts of 14,000 users. That’s about 0.1 percent of 23andMe’s total customer base.
However, it doesn’t end there, it now appears. With those 14,000 accounts, the attackers could use the ‘DNA Relatives’ function, a way to trace (distant) relatives. This way they could access the information of millions of other users.
23andMe says it is still in the process of notifying all affected people about the leak. The company also warns users to change their passwords. Two-step verification is now also mandatory. That was only an option until now.